LUKS and GELI support.

* Makefile.util.def (libgrubkern.a): Add grub-core/lib/crypto.c,
	grub-core/disk/luks.c, grub-core/disk/geli.c,
	grub-core/disk/cryptodisk.c, grub-core/disk/AFSplitter.c,
	grub-core/lib/pbkdf2.c, grub-core/commands/extcmd.c,
	grub-core/lib/arg.c.
	(libgrubmods.a): Remove gcrypts cflags and cppflags.
	Remove grub-core/commands/extcmd.c, grub-core/lib/arg.c,
	grub-core/lib/crypto.c, grub-core/lib/libgcrypt-grub/cipher/sha512.c,
	grub-core/lib/libgcrypt-grub/cipher/crc.c and grub-core/lib/pbkdf2.c.
	(grub-bin2h): Add libgcry.a.
	(grub-mkimage): Likewise.
	(grub-mkrelpath): Likewise.
	(grub-script-check): Likewise.
	(grub-editenv): Likewise.
	(grub-mkpasswd-pbkdf2): Likewise.
	(grub-pe2elf): Likewise.
	(grub-fstest): Likewise.
	(grub-mkfont): Likewise.
	(grub-mkdevicemap): Likewise.
	(grub-probe): Likewise.
	(grub-ofpath): Likewise.
	(grub-mklayout): Likewise.
	(example_unit_test): Likewise.
	(grub-menulst2cfg): Likewise.
	* autogen.sh (UTIL_DEFS): Add Makefile.utilgcry.def.
	* grub-core/Makefile.core.def (cryptodisk): New module.
	(luks): Likewise.
	(geli): Likewise.
	* grub-core/disk/AFSplitter.c: New file.
	* grub-core/disk/cryptodisk.c: Likewise.
	* grub-core/disk/geli.c: Likewise.
	* grub-core/disk/luks.c: Likewise.
	* grub-core/kern/emu/getroot.c (get_dm_uuid): New function based on
	grub_util_is_lvm.
	(grub_util_get_dm_abstraction): New function.
	(grub_util_follow_gpart_up): Likewise.
	(grub_util_get_geom_abstraction): Likewise.
	(grub_util_get_dev_abstraction): Use new functions.
	(grub_util_pull_device): Pull GELI and LUKS.
	(grub_util_get_grub_dev): Handle LUKS and GELI.
	* grub-core/kern/emu/hostdisk.c (grub_util_get_fd_sectors): New function.
	(grub_util_biosdisk_open): Use grub_util_get_fd_sectors.
	(follow_geom_up): Removed.
	(grub_util_fd_seek): New function.
	(open_device): Use grub_util_fd_seek.
	(nread): Rename to ..
	(grub_util_fd_read): ... this. All users updated.
	* grub-core/lib/crypto.c (grub_crypto_ecb_decrypt): A better prototype.
	(grub_crypto_cbc_decrypt): Likewise.
	(grub_crypto_hmac_write): Likewise.
	(grub_crypto_hmac_buffer): Likewise.
	(grub_password_get): Extend to util.
	* include/grub/crypto.h (gcry_cipher_spec) [GRUB_UTIL]:
	New member modname.
	(gcry_md_spec) [GRUB_UTIL]: Likewise.
	* include/grub/cryptodisk.h: New file.
	* include/grub/disk.h (grub_disk_dev_id): Rename LUKS to CRYPTODISK.
	* include/grub/emu/getroot.h (grub_dev_abstraction_types): Add
	LUKS and GELI.
	(grub_util_follow_gpart_up): New proto.
	* include/grub/emu/hostdisk.h (grub_util_fd_seek): Likewise.
	(grub_util_fd_read): Likewise.
	(grub_cryptodisk_cheat_mount): Likewise.
	(grub_util_cryptodisk_print_uuid): Likewise.
	(grub_util_get_fd_sectors): Likewise.
	* util/grub-fstest.c (mount_crypt): New var.
	(fstest): Mount crypto if requested.
	(options): New option -C.
	(argp_parser): Parse -C.
	(main): Init and fini gcry.
	* util/grub-install.in: Support cryptodisk install.
	* util/grub-mkconfig.in: Export GRUB_ENABLE_CRYPTODISK.
	* util/grub-mkconfig_lib.in (is_path_readable_by_grub): Support
	cryptodisk.
	(prepare_grub_to_access_device): Likewise.
	* util/grub-mkpasswd-pbkdf2.c (main): Use grub_password_get.
	* util/grub-probe.c (probe_partmap): Support cryptodisk UUID probe.
	(probe_cryptodisk_uuid): New function.
	(probe_abstraction): Likewise.
	(probe): Use new functions.
	* util/import_gcry.py: Create Makefile.utilgcry.def.
	Add modname member.

	Also-By: Michael Gorven <michael@gorven.za.net>

	Also-By: Clemens Fruhwirth <clemens@endorphin.org>
This commit is contained in:
Vladimir Serbinenko 2011-07-07 23:52:58 +02:00 committed by Vladimir 'phcoder' Serbinenko
commit a251b71915
24 changed files with 2971 additions and 346 deletions

View file

@ -160,3 +160,4 @@ widthspec.bin
widthspec.h widthspec.h
docs/stamp-1 docs/stamp-1
docs/version-dev.texi docs/version-dev.texi
Makefile.utilgcry.def

View file

@ -1,3 +1,92 @@
2011-07-07 Vladimir Serbinenko <phcoder@gmail.com>
2011-07-07 Michael Gorven <michael@gorven.za.net>
2011-07-07 Clemens Fruhwirth <clemens@endorphin.org>
LUKS and GELI support.
* Makefile.util.def (libgrubkern.a): Add grub-core/lib/crypto.c,
grub-core/disk/luks.c, grub-core/disk/geli.c,
grub-core/disk/cryptodisk.c, grub-core/disk/AFSplitter.c,
grub-core/lib/pbkdf2.c, grub-core/commands/extcmd.c,
grub-core/lib/arg.c.
(libgrubmods.a): Remove gcrypts cflags and cppflags.
Remove grub-core/commands/extcmd.c, grub-core/lib/arg.c,
grub-core/lib/crypto.c, grub-core/lib/libgcrypt-grub/cipher/sha512.c,
grub-core/lib/libgcrypt-grub/cipher/crc.c and grub-core/lib/pbkdf2.c.
(grub-bin2h): Add libgcry.a.
(grub-mkimage): Likewise.
(grub-mkrelpath): Likewise.
(grub-script-check): Likewise.
(grub-editenv): Likewise.
(grub-mkpasswd-pbkdf2): Likewise.
(grub-pe2elf): Likewise.
(grub-fstest): Likewise.
(grub-mkfont): Likewise.
(grub-mkdevicemap): Likewise.
(grub-probe): Likewise.
(grub-ofpath): Likewise.
(grub-mklayout): Likewise.
(example_unit_test): Likewise.
(grub-menulst2cfg): Likewise.
* autogen.sh (UTIL_DEFS): Add Makefile.utilgcry.def.
* grub-core/Makefile.core.def (cryptodisk): New module.
(luks): Likewise.
(geli): Likewise.
* grub-core/disk/AFSplitter.c: New file.
* grub-core/disk/cryptodisk.c: Likewise.
* grub-core/disk/geli.c: Likewise.
* grub-core/disk/luks.c: Likewise.
* grub-core/kern/emu/getroot.c (get_dm_uuid): New function based on
grub_util_is_lvm.
(grub_util_get_dm_abstraction): New function.
(grub_util_follow_gpart_up): Likewise.
(grub_util_get_geom_abstraction): Likewise.
(grub_util_get_dev_abstraction): Use new functions.
(grub_util_pull_device): Pull GELI and LUKS.
(grub_util_get_grub_dev): Handle LUKS and GELI.
* grub-core/kern/emu/hostdisk.c (grub_util_get_fd_sectors): New function.
(grub_util_biosdisk_open): Use grub_util_get_fd_sectors.
(follow_geom_up): Removed.
(grub_util_fd_seek): New function.
(open_device): Use grub_util_fd_seek.
(nread): Rename to ..
(grub_util_fd_read): ... this. All users updated.
* grub-core/lib/crypto.c (grub_crypto_ecb_decrypt): A better prototype.
(grub_crypto_cbc_decrypt): Likewise.
(grub_crypto_hmac_write): Likewise.
(grub_crypto_hmac_buffer): Likewise.
(grub_password_get): Extend to util.
* include/grub/crypto.h (gcry_cipher_spec) [GRUB_UTIL]:
New member modname.
(gcry_md_spec) [GRUB_UTIL]: Likewise.
* include/grub/cryptodisk.h: New file.
* include/grub/disk.h (grub_disk_dev_id): Rename LUKS to CRYPTODISK.
* include/grub/emu/getroot.h (grub_dev_abstraction_types): Add
LUKS and GELI.
(grub_util_follow_gpart_up): New proto.
* include/grub/emu/hostdisk.h (grub_util_fd_seek): Likewise.
(grub_util_fd_read): Likewise.
(grub_cryptodisk_cheat_mount): Likewise.
(grub_util_cryptodisk_print_uuid): Likewise.
(grub_util_get_fd_sectors): Likewise.
* util/grub-fstest.c (mount_crypt): New var.
(fstest): Mount crypto if requested.
(options): New option -C.
(argp_parser): Parse -C.
(main): Init and fini gcry.
* util/grub-install.in: Support cryptodisk install.
* util/grub-mkconfig.in: Export GRUB_ENABLE_CRYPTODISK.
* util/grub-mkconfig_lib.in (is_path_readable_by_grub): Support
cryptodisk.
(prepare_grub_to_access_device): Likewise.
* util/grub-mkpasswd-pbkdf2.c (main): Use grub_password_get.
* util/grub-probe.c (probe_partmap): Support cryptodisk UUID probe.
(probe_cryptodisk_uuid): New function.
(probe_abstraction): Likewise.
(probe): Use new functions.
* util/import_gcry.py: Create Makefile.utilgcry.def.
Add modname member.
2011-07-07 Vladimir Serbinenko <phcoder@gmail.com> 2011-07-07 Vladimir Serbinenko <phcoder@gmail.com>
Lazy device scanning. Lazy device scanning.

View file

@ -21,12 +21,18 @@ library = {
common = grub-core/kern/list.c; common = grub-core/kern/list.c;
common = grub-core/kern/misc.c; common = grub-core/kern/misc.c;
common = grub-core/kern/partition.c; common = grub-core/kern/partition.c;
common = grub-core/lib/crypto.c;
common = grub-core/disk/luks.c;
common = grub-core/disk/geli.c;
common = grub-core/disk/cryptodisk.c;
common = grub-core/disk/AFSplitter.c;
common = grub-core/lib/pbkdf2.c;
common = grub-core/commands/extcmd.c;
common = grub-core/lib/arg.c;
}; };
library = { library = {
name = libgrubmods.a; name = libgrubmods.a;
cflags = '$(CFLAGS_GCRY)';
cppflags = '$(CPPFLAGS_GCRY)';
common_nodist = grub_script.tab.c; common_nodist = grub_script.tab.c;
common_nodist = grub_script.yy.c; common_nodist = grub_script.yy.c;
@ -36,7 +42,6 @@ library = {
common = grub-core/commands/blocklist.c; common = grub-core/commands/blocklist.c;
common = grub-core/commands/testload.c; common = grub-core/commands/testload.c;
common = grub-core/commands/extcmd.c;
common = grub-core/commands/ls.c; common = grub-core/commands/ls.c;
common = grub-core/disk/dmraid_nvidia.c; common = grub-core/disk/dmraid_nvidia.c;
common = grub-core/disk/loopback.c; common = grub-core/disk/loopback.c;
@ -79,15 +84,10 @@ library = {
common = grub-core/fs/zfs/zfs_lzjb.c; common = grub-core/fs/zfs/zfs_lzjb.c;
common = grub-core/fs/zfs/zfs_sha256.c; common = grub-core/fs/zfs/zfs_sha256.c;
common = grub-core/fs/zfs/zfs_fletcher.c; common = grub-core/fs/zfs/zfs_fletcher.c;
common = grub-core/lib/arg.c;
common = grub-core/lib/crypto.c;
common = grub-core/lib/envblk.c; common = grub-core/lib/envblk.c;
common = grub-core/lib/hexdump.c; common = grub-core/lib/hexdump.c;
common = grub-core/lib/libgcrypt-grub/cipher/sha512.c;
common = grub-core/lib/libgcrypt-grub/cipher/crc.c;
common = grub-core/lib/LzFind.c; common = grub-core/lib/LzFind.c;
common = grub-core/lib/LzmaEnc.c; common = grub-core/lib/LzmaEnc.c;
common = grub-core/lib/pbkdf2.c;
common = grub-core/lib/crc.c; common = grub-core/lib/crc.c;
common = grub-core/normal/datetime.c; common = grub-core/normal/datetime.c;
common = grub-core/normal/misc.c; common = grub-core/normal/misc.c;
@ -113,6 +113,7 @@ program = {
name = grub-bin2h; name = grub-bin2h;
common = util/bin2h.c; common = util/bin2h.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER)';
@ -128,6 +129,7 @@ program = {
extra_dist = util/grub-mkimagexx.c; extra_dist = util/grub-mkimagexx.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBLZMA)'; ldadd = '$(LIBLZMA)';
@ -142,6 +144,7 @@ program = {
common = util/grub-mkrelpath.c; common = util/grub-mkrelpath.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -154,6 +157,7 @@ program = {
common = util/grub-script-check.c; common = util/grub-script-check.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -166,6 +170,7 @@ program = {
common = util/grub-editenv.c; common = util/grub-editenv.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -178,6 +183,7 @@ program = {
common = util/grub-mkpasswd-pbkdf2.c; common = util/grub-mkpasswd-pbkdf2.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -198,6 +204,7 @@ program = {
common = util/grub-pe2elf.c; common = util/grub-pe2elf.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL)'; ldadd = '$(LIBINTL)';
@ -216,6 +223,7 @@ program = {
cppflags = '$(CPPFLAGS_GCRY)'; cppflags = '$(CPPFLAGS_GCRY)';
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -230,6 +238,7 @@ program = {
cflags = '$(freetype_cflags)'; cflags = '$(freetype_cflags)';
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(freetype_libs)'; ldadd = '$(freetype_libs)';
@ -250,6 +259,7 @@ program = {
sparc64_ieee1275 = util/ieee1275/devicemap.c; sparc64_ieee1275 = util/ieee1275/devicemap.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -262,6 +272,7 @@ program = {
common = util/grub-probe.c; common = util/grub-probe.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -279,6 +290,7 @@ program = {
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = libgrubgcry.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -294,6 +306,7 @@ program = {
ieee1275 = util/ieee1275/ofpath.c; ieee1275 = util/ieee1275/ofpath.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBGEOM)';
@ -308,6 +321,7 @@ program = {
common = util/grub-mklayout.c; common = util/grub-mklayout.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -619,6 +633,7 @@ program = {
common = grub-core/tests/lib/test.c; common = grub-core/tests/lib/test.c;
cflags = -Wno-format; cflags = -Wno-format;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@ -632,6 +647,7 @@ program = {
common = grub-core/lib/i386/pc/vesa_modes_table.c; common = grub-core/lib/i386/pc/vesa_modes_table.c;
ldadd = libgrubmods.a; ldadd = libgrubmods.a;
ldadd = libgrubgcry.a;
ldadd = libgrubkern.a; ldadd = libgrubkern.a;
ldadd = grub-core/gnulib/libgnu.a; ldadd = grub-core/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

View file

@ -26,7 +26,7 @@ if [ "x${GRUB_CONTRIB}" != x ]; then
[ "${GRUB_CONTRIB}" = grub-core/contrib ] || ln -s ../contrib grub-core/contrib [ "${GRUB_CONTRIB}" = grub-core/contrib ] || ln -s ../contrib grub-core/contrib
fi fi
UTIL_DEFS=Makefile.util.def UTIL_DEFS='Makefile.util.def Makefile.utilgcry.def'
CORE_DEFS='grub-core/Makefile.core.def grub-core/Makefile.gcry.def' CORE_DEFS='grub-core/Makefile.core.def grub-core/Makefile.gcry.def'
for extra in contrib/*/Makefile.util.def; do for extra in contrib/*/Makefile.util.def; do

View file

@ -817,6 +817,22 @@ module = {
common = disk/loopback.c; common = disk/loopback.c;
}; };
module = {
name = cryptodisk;
common = disk/cryptodisk.c;
};
module = {
name = luks;
common = disk/luks.c;
common = disk/AFSplitter.c;
};
module = {
name = geli;
common = disk/geli.c;
};
module = { module = {
name = lvm; name = lvm;
common = disk/lvm.c; common = disk/lvm.c;

View file

@ -0,0 +1,89 @@
/*
* AFsplitter - Anti forensic information splitter
* Copyright 2004, Clemens Fruhwirth <clemens@endorphin.org>
*
* AFsplitter diffuses information over a large stripe of data,
* therefor supporting secure data destruction.
*
* This program is grub_free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the grub_free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Library General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the grub_free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
#include <grub/crypto.h>
#include <grub/mm.h>
#include <grub/misc.h>
gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
grub_uint8_t * dst, grub_size_t blocksize,
grub_size_t blocknumbers);
static void
diffuse (const gcry_md_spec_t * hash, grub_uint8_t * src,
grub_uint8_t * dst, grub_size_t size)
{
grub_size_t i;
grub_uint32_t IV; /* host byte order independend hash IV */
grub_size_t fullblocks = size / hash->mdlen;
int padding = size % hash->mdlen;
grub_uint8_t final[hash->mdlen];
grub_uint8_t temp[sizeof (IV) + hash->mdlen];
/* hash block the whole data set with different IVs to produce
* more than just a single data block
*/
for (i = 0; i < fullblocks; i++)
{
IV = grub_cpu_to_be32 (i);
grub_memcpy (temp, &IV, sizeof (IV));
grub_memcpy (temp + sizeof (IV), src + hash->mdlen * i, hash->mdlen);
grub_crypto_hash (hash, dst + hash->mdlen * i, temp,
sizeof (IV) + hash->mdlen);
}
if (padding)
{
IV = grub_cpu_to_be32 (i);
grub_memcpy (temp, &IV, sizeof (IV));
grub_memcpy (temp + sizeof (IV), src + hash->mdlen * i, padding);
grub_crypto_hash (hash, final, temp, sizeof (IV) + padding);
grub_memcpy (dst + hash->mdlen * i, final, padding);
}
}
/**
* Merges the splitted master key stored on disk into the original key
*/
gcry_err_code_t
AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, grub_uint8_t * dst,
grub_size_t blocksize, grub_size_t blocknumbers)
{
grub_size_t i;
grub_uint8_t *bufblock;
bufblock = grub_zalloc (blocksize);
if (bufblock == NULL)
return GPG_ERR_OUT_OF_MEMORY;
grub_memset (bufblock, 0, blocksize);
for (i = 0; i < blocknumbers - 1; i++)
{
grub_crypto_xor (bufblock, src + (blocksize * i), bufblock, blocksize);
diffuse (hash, bufblock, bufblock, blocksize);
}
grub_crypto_xor (dst, src + (i * blocksize), bufblock, blocksize);
grub_free (bufblock);
return GPG_ERR_NO_ERROR;
}

884
grub-core/disk/cryptodisk.c Normal file
View file

@ -0,0 +1,884 @@
/*
* GRUB -- GRand Unified Bootloader
* Copyright (C) 2003,2007,2010,2011 Free Software Foundation, Inc.
*
* GRUB is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GRUB is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/
#include <grub/cryptodisk.h>
#include <grub/mm.h>
#include <grub/misc.h>
#include <grub/dl.h>
#include <grub/extcmd.h>
#include <grub/i18n.h>
#ifdef GRUB_UTIL
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <grub/emu/hostdisk.h>
#include <unistd.h>
#include <string.h>
#endif
GRUB_MOD_LICENSE ("GPLv3+");
grub_cryptodisk_dev_t grub_cryptodisk_list;
static const struct grub_arg_option options[] =
{
{"uuid", 'u', 0, N_("Mount by UUID."), 0, 0},
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes marked as boot."), 0, 0},
{0, 0, 0, 0, 0, 0}
};
/* Our irreducible polynom is x^128+x^7+x^2+x+1. Lowest byte of it is: */
#define GF_POLYNOM 0x87
static inline int GF_PER_SECTOR (const struct grub_cryptodisk *dev)
{
return 1U << (dev->log_sector_size - GRUB_CRYPTODISK_GF_LOG_BYTES);
}
static grub_cryptodisk_t cryptodisk_list = NULL;
static grub_uint8_t n = 0;
static void
gf_mul_x (grub_uint8_t *g)
{
int over = 0, over2 = 0;
unsigned j;
for (j = 0; j < GRUB_CRYPTODISK_GF_BYTES; j++)
{
over2 = !!(g[j] & 0x80);
g[j] <<= 1;
g[j] |= over;
over = over2;
}
if (over)
g[0] ^= GF_POLYNOM;
}
static void
gf_mul_x_be (grub_uint8_t *g)
{
int over = 0, over2 = 0;
int j;
for (j = (int) GRUB_CRYPTODISK_GF_BYTES - 1; j >= 0; j--)
{
over2 = !!(g[j] & 0x80);
g[j] <<= 1;
g[j] |= over;
over = over2;
}
if (over)
g[GRUB_CRYPTODISK_GF_BYTES - 1] ^= GF_POLYNOM;
}
static void
gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b)
{
unsigned i;
grub_uint8_t t[GRUB_CRYPTODISK_GF_BYTES];
grub_memset (o, 0, GRUB_CRYPTODISK_GF_BYTES);
grub_memcpy (t, b, GRUB_CRYPTODISK_GF_BYTES);
for (i = 0; i < GRUB_CRYPTODISK_GF_SIZE; i++)
{
if (((a[GRUB_CRYPTODISK_GF_BYTES - i / 8 - 1] >> (i % 8))) & 1)
grub_crypto_xor (o, o, t, GRUB_CRYPTODISK_GF_BYTES);
gf_mul_x_be (t);
}
}
static gcry_err_code_t
grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher,
void *out, void *in, grub_size_t size,
void *iv)
{
grub_uint8_t *inptr, *outptr, *end;
grub_uint8_t ivt[cipher->cipher->blocksize];
if (!cipher->cipher->decrypt)
return GPG_ERR_NOT_SUPPORTED;
if (size % cipher->cipher->blocksize != 0)
return GPG_ERR_INV_ARG;
end = (grub_uint8_t *) in + size;
for (inptr = in, outptr = out; inptr < end;
inptr += cipher->cipher->blocksize, outptr += cipher->cipher->blocksize)
{
grub_memcpy (ivt, inptr, cipher->cipher->blocksize);
cipher->cipher->decrypt (cipher->ctx, outptr, inptr);
grub_crypto_xor (outptr, outptr, iv, cipher->cipher->blocksize);
grub_crypto_xor (iv, ivt, outptr, cipher->cipher->blocksize);
}
return GPG_ERR_NO_ERROR;
}
struct lrw_sector
{
grub_uint8_t low[GRUB_CRYPTODISK_GF_BYTES];
grub_uint8_t high[GRUB_CRYPTODISK_GF_BYTES];
grub_uint8_t low_byte, low_byte_c;
};
static void
generate_lrw_sector (struct lrw_sector *sec,
const struct grub_cryptodisk *dev,
const grub_uint8_t *iv)
{
grub_uint8_t idx[GRUB_CRYPTODISK_GF_BYTES];
grub_uint16_t c;
int j;
grub_memcpy (idx, iv, GRUB_CRYPTODISK_GF_BYTES);
sec->low_byte = (idx[GRUB_CRYPTODISK_GF_BYTES - 1]
& (GF_PER_SECTOR (dev) - 1));
sec->low_byte_c = (((GF_PER_SECTOR (dev) - 1) & ~sec->low_byte) + 1);
idx[GRUB_CRYPTODISK_GF_BYTES - 1] &= ~(GF_PER_SECTOR (dev) - 1);
gf_mul_be (sec->low, dev->lrw_key, idx);
if (!sec->low_byte)
return;
c = idx[GRUB_CRYPTODISK_GF_BYTES - 1] + GF_PER_SECTOR (dev);
if (c & 0x100)
{
for (j = GRUB_CRYPTODISK_GF_BYTES - 2; j >= 0; j--)
{
idx[j]++;
if (idx[j] != 0)
break;
}
}
idx[GRUB_CRYPTODISK_GF_BYTES - 1] = c;
gf_mul_be (sec->high, dev->lrw_key, idx);
}
static void __attribute__ ((unused))
lrw_xor (const struct lrw_sector *sec,
const struct grub_cryptodisk *dev,
grub_uint8_t *b)
{
unsigned i;
for (i = 0; i < sec->low_byte_c * GRUB_CRYPTODISK_GF_BYTES;
i += GRUB_CRYPTODISK_GF_BYTES)
grub_crypto_xor (b + i, b + i, sec->low, GRUB_CRYPTODISK_GF_BYTES);
grub_crypto_xor (b, b, dev->lrw_precalc + GRUB_CRYPTODISK_GF_BYTES * sec->low_byte,
sec->low_byte_c * GRUB_CRYPTODISK_GF_BYTES);
if (!sec->low_byte)
return;
for (i = sec->low_byte_c * GRUB_CRYPTODISK_GF_BYTES;
i < (1U << dev->log_sector_size); i += GRUB_CRYPTODISK_GF_BYTES)
grub_crypto_xor (b + i, b + i, sec->high, GRUB_CRYPTODISK_GF_BYTES);
grub_crypto_xor (b + sec->low_byte_c * GRUB_CRYPTODISK_GF_BYTES,
b + sec->low_byte_c * GRUB_CRYPTODISK_GF_BYTES,
dev->lrw_precalc, sec->low_byte * GRUB_CRYPTODISK_GF_BYTES);
}
gcry_err_code_t
grub_cryptodisk_decrypt (struct grub_cryptodisk *dev,
grub_uint8_t * data, grub_size_t len,
grub_disk_addr_t sector)
{
grub_size_t i;
gcry_err_code_t err;
/* The only mode without IV. */
if (dev->mode == GRUB_CRYPTODISK_MODE_ECB && !dev->rekey)
return grub_crypto_ecb_decrypt (dev->cipher, data, data, len);
for (i = 0; i < len; i += (1U << dev->log_sector_size))
{
grub_size_t sz = ((dev->cipher->cipher->blocksize
+ sizeof (grub_uint32_t) - 1)
/ sizeof (grub_uint32_t));
grub_uint32_t iv[sz];
if (dev->rekey)
{
grub_uint64_t zone = sector >> dev->rekey_shift;
if (zone != dev->last_rekey)
{
err = dev->rekey (dev, zone);
if (err)
return err;
dev->last_rekey = zone;
}
}
grub_memset (iv, 0, sz * sizeof (iv[0]));
switch (dev->mode_iv)
{
case GRUB_CRYPTODISK_MODE_IV_NULL:
break;
case GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64_HASH:
{
grub_uint64_t tmp;
grub_uint64_t ctx[(dev->iv_hash->contextsize + 7) / 8];
grub_memset (ctx, 0, sizeof (ctx));
tmp = grub_cpu_to_le64 (sector << dev->log_sector_size);
dev->iv_hash->init (ctx);
dev->iv_hash->write (ctx, dev->iv_prefix, dev->iv_prefix_len);
dev->iv_hash->write (ctx, &tmp, sizeof (tmp));
dev->iv_hash->final (ctx);
grub_memcpy (iv, dev->iv_hash->read (ctx), sizeof (iv));
}
break;
case GRUB_CRYPTODISK_MODE_IV_PLAIN64:
iv[1] = grub_cpu_to_le32 (sector >> 32);
case GRUB_CRYPTODISK_MODE_IV_PLAIN:
iv[0] = grub_cpu_to_le32 (sector & 0xFFFFFFFF);
break;
case GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64:
iv[1] = grub_cpu_to_le32 (sector >> (32 - dev->log_sector_size));
iv[0] = grub_cpu_to_le32 ((sector << dev->log_sector_size)
& 0xFFFFFFFF);
break;
case GRUB_CRYPTODISK_MODE_IV_BENBI:
{
grub_uint64_t num = (sector << dev->benbi_log) + 1;
iv[sz - 2] = grub_cpu_to_be32 (num >> 32);
iv[sz - 1] = grub_cpu_to_be32 (num & 0xFFFFFFFF);
}
break;
case GRUB_CRYPTODISK_MODE_IV_ESSIV:
iv[0] = grub_cpu_to_le32 (sector & 0xFFFFFFFF);
err = grub_crypto_ecb_encrypt (dev->essiv_cipher, iv, iv,
dev->cipher->cipher->blocksize);
if (err)
return err;
}
switch (dev->mode)
{
case GRUB_CRYPTODISK_MODE_CBC:
err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
(1U << dev->log_sector_size), iv);
if (err)
return err;
break;
case GRUB_CRYPTODISK_MODE_PCBC:
err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
(1U << dev->log_sector_size), iv);
if (err)
return err;
break;
case GRUB_CRYPTODISK_MODE_XTS:
{
unsigned j;
err = grub_crypto_ecb_encrypt (dev->secondary_cipher, iv, iv,
dev->cipher->cipher->blocksize);
if (err)
return err;
for (j = 0; j < (1U << dev->log_sector_size);
j += dev->cipher->cipher->blocksize)
{
grub_crypto_xor (data + i + j, data + i + j, iv,
dev->cipher->cipher->blocksize);
err = grub_crypto_ecb_decrypt (dev->cipher, data + i + j,
data + i + j,
dev->cipher->cipher->blocksize);
if (err)
return err;
grub_crypto_xor (data + i + j, data + i + j, iv,
dev->cipher->cipher->blocksize);
gf_mul_x ((grub_uint8_t *) iv);
}
}
break;
case GRUB_CRYPTODISK_MODE_LRW:
{
struct lrw_sector sec;
generate_lrw_sector (&sec, dev, (grub_uint8_t *) iv);
lrw_xor (&sec, dev, data + i);
err = grub_crypto_ecb_decrypt (dev->cipher, data + i,
data + i,
(1U << dev->log_sector_size));
if (err)
return err;
lrw_xor (&sec, dev, data + i);
}
break;
case GRUB_CRYPTODISK_MODE_ECB:
grub_crypto_ecb_decrypt (dev->cipher, data + i, data + i,
(1U << dev->log_sector_size));
break;
default:
return GPG_ERR_NOT_IMPLEMENTED;
}
sector++;
}
return GPG_ERR_NO_ERROR;
}
gcry_err_code_t
grub_cryptodisk_setkey (grub_cryptodisk_t dev, grub_uint8_t *key, grub_size_t keysize)
{
gcry_err_code_t err;
int real_keysize;
real_keysize = keysize;
if (dev->mode == GRUB_CRYPTODISK_MODE_XTS)
real_keysize /= 2;
if (dev->mode == GRUB_CRYPTODISK_MODE_LRW)
real_keysize -= dev->cipher->cipher->blocksize;
/* Set the PBKDF2 output as the cipher key. */
err = grub_crypto_cipher_set_key (dev->cipher, key, real_keysize);
if (err)
return err;
/* Configure ESSIV if necessary. */
if (dev->mode_iv == GRUB_CRYPTODISK_MODE_IV_ESSIV)
{
grub_size_t essiv_keysize = dev->essiv_hash->mdlen;
grub_uint8_t hashed_key[essiv_keysize];
grub_crypto_hash (dev->essiv_hash, hashed_key, key, keysize);
err = grub_crypto_cipher_set_key (dev->essiv_cipher,
hashed_key, essiv_keysize);
if (err)
return err;
}
if (dev->mode == GRUB_CRYPTODISK_MODE_XTS)
{
err = grub_crypto_cipher_set_key (dev->secondary_cipher,
key + real_keysize,
keysize / 2);
if (err)
return err;
}
if (dev->mode == GRUB_CRYPTODISK_MODE_LRW)
{
unsigned i;
grub_uint8_t idx[GRUB_CRYPTODISK_GF_BYTES];
grub_free (dev->lrw_precalc);
grub_memcpy (dev->lrw_key, key + real_keysize,
dev->cipher->cipher->blocksize);
dev->lrw_precalc = grub_malloc ((1U << dev->log_sector_size));
if (!dev->lrw_precalc)
return GPG_ERR_OUT_OF_MEMORY;
grub_memset (idx, 0, GRUB_CRYPTODISK_GF_BYTES);
for (i = 0; i < (1U << dev->log_sector_size);
i += GRUB_CRYPTODISK_GF_BYTES)
{
idx[GRUB_CRYPTODISK_GF_BYTES - 1] = i / GRUB_CRYPTODISK_GF_BYTES;
gf_mul_be (dev->lrw_precalc + i, idx, dev->lrw_key);
}
}
return GPG_ERR_NO_ERROR;
}
static int
grub_cryptodisk_iterate (int (*hook) (const char *name),
grub_disk_pull_t pull)
{
grub_cryptodisk_t i;
if (pull != GRUB_DISK_PULL_NONE)
return 0;
for (i = cryptodisk_list; i != NULL; i = i->next)
{
char buf[30];
grub_snprintf (buf, sizeof (buf), "crypto%lu", i->id);
if (hook (buf))
return 1;
}
return GRUB_ERR_NONE;
}
static grub_err_t
grub_cryptodisk_open (const char *name, grub_disk_t disk,
grub_disk_pull_t pull __attribute__ ((unused)))
{
grub_cryptodisk_t dev;
if (grub_memcmp (name, "crypto", sizeof ("crypto") - 1) != 0)
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "No such device");
if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0)
{
for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0)
break;
}
else
{
unsigned long id = grub_strtoul (name + sizeof ("crypto") - 1, 0, 0);
if (grub_errno)
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "No such device");
/* Search for requested device in the list of CRYPTODISK devices. */
for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
if (dev->id == id)
break;
}
if (!dev)
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "No such device");
disk->log_sector_size = dev->log_sector_size;
#ifdef GRUB_UTIL
if (dev->cheat)
{
if (dev->cheat_fd == -1)
dev->cheat_fd = open (dev->cheat, O_RDONLY);
if (dev->cheat_fd == -1)
return grub_error (GRUB_ERR_IO, "couldn't open %s: %s",
dev->cheat, strerror (errno));
}
#endif
if (!dev->source_disk)
{
grub_dprintf ("cryptodisk", "Opening device %s\n", name);
/* Try to open the source disk and populate the requested disk. */
dev->source_disk = grub_disk_open (dev->source);
if (!dev->source_disk)
return grub_errno;
}
disk->data = dev;
disk->total_sectors = dev->total_length;
disk->id = dev->id;
dev->ref++;
return GRUB_ERR_NONE;
}
static void
grub_cryptodisk_close (grub_disk_t disk)
{
grub_cryptodisk_t dev = (grub_cryptodisk_t) disk->data;
grub_dprintf ("cryptodisk", "Closing disk\n");
dev->ref--;
if (dev->ref != 0)
return;
#ifdef GRUB_UTIL
if (dev->cheat)
{
close (dev->cheat_fd);
dev->cheat_fd = -1;
}
#endif
grub_disk_close (dev->source_disk);
dev->source_disk = NULL;
}
static grub_err_t
grub_cryptodisk_read (grub_disk_t disk, grub_disk_addr_t sector,
grub_size_t size, char *buf)
{
grub_cryptodisk_t dev = (grub_cryptodisk_t) disk->data;
grub_err_t err;
gcry_err_code_t gcry_err;
#ifdef GRUB_UTIL
if (dev->cheat)
{
err = grub_util_fd_seek (dev->cheat_fd, dev->cheat,
sector << disk->log_sector_size);
if (err)
return err;
if (grub_util_fd_read (dev->cheat_fd, buf, size << disk->log_sector_size)
!= (ssize_t) (size << disk->log_sector_size))
return grub_error (GRUB_ERR_READ_ERROR, "cannot read from `%s'",
dev->cheat);
return GRUB_ERR_NONE;
}
#endif
grub_dprintf ("cryptodisk",
"Reading %" PRIuGRUB_SIZE " sectors from sector 0x%"
PRIxGRUB_UINT64_T " with offset of %" PRIuGRUB_UINT64_T "\n",
size, sector, dev->offset);
err = grub_disk_read (dev->source_disk,
(sector << (disk->log_sector_size
- GRUB_DISK_SECTOR_BITS)) + dev->offset, 0,
size << disk->log_sector_size, buf);
if (err)
{
grub_dprintf ("cryptodisk", "grub_disk_read failed with error %d\n", err);
return err;
}
gcry_err = grub_cryptodisk_decrypt (dev, (grub_uint8_t *) buf,
size << disk->log_sector_size,
sector);
return grub_crypto_gcry_error (gcry_err);
}
static grub_err_t
grub_cryptodisk_write (grub_disk_t disk __attribute ((unused)),
grub_disk_addr_t sector __attribute ((unused)),
grub_size_t size __attribute ((unused)),
const char *buf __attribute ((unused)))
{
return GRUB_ERR_NOT_IMPLEMENTED_YET;
}
#ifdef GRUB_UTIL
static grub_disk_memberlist_t
grub_cryptodisk_memberlist (grub_disk_t disk)
{
grub_cryptodisk_t dev = (grub_cryptodisk_t) disk->data;
grub_disk_memberlist_t list = NULL;
list = grub_malloc (sizeof (*list));
if (list)
{
list->disk = dev->source_disk;
list->next = NULL;
}
return list;
}
#endif
static void
cryptodisk_cleanup (void)
{
grub_cryptodisk_t dev = cryptodisk_list;
grub_cryptodisk_t tmp;
while (dev != NULL)
{
grub_free (dev->source);
grub_free (dev->cipher);
grub_free (dev->secondary_cipher);
grub_free (dev->essiv_cipher);
tmp = dev->next;
grub_free (dev);
dev = tmp;
}
}
grub_err_t
grub_cryptodisk_insert (grub_cryptodisk_t newdev, const char *name,
grub_disk_t source)
{
newdev->source = grub_strdup (name);
if (!newdev->source)
{
grub_free (newdev);
return grub_errno;
}
newdev->id = n++;
newdev->source_id = source->id;
newdev->source_dev_id = source->dev->id;
newdev->next = cryptodisk_list;
cryptodisk_list = newdev;
return GRUB_ERR_NONE;
}
grub_cryptodisk_t
grub_cryptodisk_get_by_uuid (const char *uuid)
{
grub_cryptodisk_t dev;
for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
if (grub_strcasecmp (dev->uuid, uuid) == 0)
return dev;
return NULL;
}
grub_cryptodisk_t
grub_cryptodisk_get_by_source_disk (grub_disk_t disk)
{
grub_cryptodisk_t dev;
for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
if (dev->source_id == disk->id && dev->source_dev_id == disk->dev->id)
return dev;
return NULL;
}
#ifdef GRUB_UTIL
grub_err_t
grub_cryptodisk_cheat_insert (grub_cryptodisk_t newdev, const char *name,
grub_disk_t source, const char *cheat)
{
newdev->cheat = grub_strdup (cheat);
newdev->source = grub_strdup (name);
if (!newdev->source || !newdev->cheat)
{
grub_free (newdev->source);
grub_free (newdev->cheat);
return grub_errno;
}
newdev->cheat_fd = -1;
newdev->source_id = source->id;
newdev->source_dev_id = source->dev->id;
newdev->id = n++;
newdev->next = cryptodisk_list;
cryptodisk_list = newdev;
return GRUB_ERR_NONE;
}
void
grub_util_cryptodisk_print_abstraction (grub_disk_t disk)
{
grub_cryptodisk_t dev = (grub_cryptodisk_t) disk->data;
grub_printf ("cryptodisk %s ", dev->modname);
if (dev->cipher)
grub_printf ("%s ", dev->cipher->cipher->modname);
if (dev->secondary_cipher)
grub_printf ("%s ", dev->secondary_cipher->cipher->modname);
if (dev->essiv_cipher)
grub_printf ("%s ", dev->essiv_cipher->cipher->modname);
if (dev->hash)
grub_printf ("%s ", dev->hash->modname);
if (dev->essiv_hash)
grub_printf ("%s ", dev->essiv_hash->modname);
if (dev->iv_hash)
grub_printf ("%s ", dev->iv_hash->modname);
}
void
grub_util_cryptodisk_print_uuid (grub_disk_t disk)
{
grub_cryptodisk_t dev = (grub_cryptodisk_t) disk->data;
grub_printf ("%s ", dev->uuid);
}
#endif
static int check_boot, have_it;
static char *search_uuid;
static void
cryptodisk_close (grub_cryptodisk_t dev)
{
grub_crypto_cipher_close (dev->cipher);
grub_crypto_cipher_close (dev->secondary_cipher);
grub_crypto_cipher_close (dev->essiv_cipher);
grub_free (dev);
}
static grub_err_t
grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
{
grub_err_t err;
grub_cryptodisk_t dev;
grub_cryptodisk_dev_t cr;
dev = grub_cryptodisk_get_by_source_disk (source);
if (dev)
return GRUB_ERR_NONE;
FOR_CRYPTODISK_DEVS (cr)
{
dev = cr->scan (source, search_uuid, check_boot);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
err = cr->recover_key (source, dev);
if (err)
{
cryptodisk_close (dev);
return err;
}
grub_cryptodisk_insert (dev, name, source);
have_it = 1;
return GRUB_ERR_NONE;
}
return GRUB_ERR_NONE;
}
#ifdef GRUB_UTIL
#include <grub/util/misc.h>
grub_err_t
grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
{
grub_err_t err;
grub_cryptodisk_t dev;
grub_cryptodisk_dev_t cr;
grub_disk_t source;
/* Try to open disk. */
source = grub_disk_open (sourcedev);
if (!source)
return grub_errno;
dev = grub_cryptodisk_get_by_source_disk (source);
if (dev)
{
grub_disk_close (source);
return GRUB_ERR_NONE;
}
FOR_CRYPTODISK_DEVS (cr)
{
dev = cr->scan (source, search_uuid, check_boot);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
grub_util_info ("cheatmounted %s (%s) at %s", sourcedev, dev->modname,
cheat);
err = grub_cryptodisk_cheat_insert (dev, sourcedev, source, cheat);
grub_disk_close (source);
if (err)
grub_free (dev);
return GRUB_ERR_NONE;
}
grub_disk_close (source);
return GRUB_ERR_NONE;
}
#endif
static int
grub_cryptodisk_scan_device (const char *name)
{
grub_err_t err;
grub_disk_t source;
/* Try to open disk. */
source = grub_disk_open (name);
if (!source)
return grub_errno;
err = grub_cryptodisk_scan_device_real (name, source);
grub_disk_close (source);
if (err)
grub_print_error ();
return have_it && search_uuid ? 1 : 0;
}
static grub_err_t
grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
struct grub_arg_list *state = ctxt->state;
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
have_it = 0;
if (state[0].set)
{
grub_cryptodisk_t dev;
dev = grub_cryptodisk_get_by_uuid (args[0]);
if (dev)
{
grub_dprintf ("cryptodisk",
"already mounted as crypto%lu\n", dev->id);
return GRUB_ERR_NONE;
}
check_boot = state[2].set;
search_uuid = args[0];
grub_device_iterate (&grub_cryptodisk_scan_device);
search_uuid = NULL;
if (!have_it)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such cryptodisk found");
return GRUB_ERR_NONE;
}
else if (state[1].set || (argc == 0 && state[2].set))
{
search_uuid = NULL;
check_boot = state[2].set;
grub_device_iterate (&grub_cryptodisk_scan_device);
search_uuid = NULL;
return GRUB_ERR_NONE;
}
else
{
grub_err_t err;
grub_disk_t disk;
grub_cryptodisk_t dev;
search_uuid = NULL;
check_boot = state[2].set;
disk = grub_disk_open (args[0]);
if (!disk)
return grub_errno;
dev = grub_cryptodisk_get_by_source_disk (disk);
if (dev)
{
grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n", dev->id);
grub_disk_close (disk);
return GRUB_ERR_NONE;
}
err = grub_cryptodisk_scan_device_real (args[0], disk);
grub_disk_close (disk);
return err;
}
}
static struct grub_disk_dev grub_cryptodisk_dev = {
.name = "cryptodisk",
.id = GRUB_DISK_DEVICE_CRYPTODISK_ID,
.iterate = grub_cryptodisk_iterate,
.open = grub_cryptodisk_open,
.close = grub_cryptodisk_close,
.read = grub_cryptodisk_read,
.write = grub_cryptodisk_write,
#ifdef GRUB_UTIL
.memberlist = grub_cryptodisk_memberlist,
#endif
.next = 0
};
static grub_extcmd_t cmd;
GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
N_("SOURCE|-u UUID|-a|-b"),
N_("Mount a crypto device."), options);
}
GRUB_MOD_FINI (cryptodisk)
{
grub_disk_dev_unregister (&grub_cryptodisk_dev);
cryptodisk_cleanup ();
}

536
grub-core/disk/geli.c Normal file
View file

@ -0,0 +1,536 @@
/*
* GRUB -- GRand Unified Bootloader
* Copyright (C) 2003,2007,2010,2011 Free Software Foundation, Inc.
*
* GRUB is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GRUB is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/
/* This file is loosely based on FreeBSD geli implementation
(but no code was directly copied). FreeBSD geli is distributed under
following terms: */
/*-
* Copyright (c) 2005-2006 Pawel Jakub Dawidek <pjd@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <grub/cryptodisk.h>
#include <grub/types.h>
#include <grub/misc.h>
#include <grub/mm.h>
#include <grub/dl.h>
#include <grub/err.h>
#include <grub/disk.h>
#include <grub/crypto.h>
#include <grub/partition.h>
#include <grub/i18n.h>
GRUB_MOD_LICENSE ("GPLv3+");
struct grub_geli_key
{
grub_uint8_t iv_key[64];
grub_uint8_t cipher_key[64];
grub_uint8_t hmac[64];
} __attribute__ ((packed));
struct grub_geli_phdr
{
grub_uint8_t magic[16];
#define GELI_MAGIC "GEOM::ELI"
grub_uint32_t version;
grub_uint32_t flags;
grub_uint16_t alg;
grub_uint16_t keylen;
grub_uint16_t unused3[5];
grub_uint32_t sector_size;
grub_uint8_t keys_used;
grub_uint32_t niter;
grub_uint8_t salt[64];
struct grub_geli_key keys[2];
} __attribute__ ((packed));
enum
{
GRUB_GELI_FLAGS_ONETIME = 1,
GRUB_GELI_FLAGS_BOOT = 2,
};
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
[0x01] = "des",
[0x02] = "3des",
[0x03] = "blowfish",
[0x04] = "cast5",
/* FIXME: 0x05 is skipjack, but we don't have it. */
[0x0b] = "aes",
/* FIXME: 0x10 is null. */
[0x15] = "camellia128",
[0x16] = "aes"
};
#define MAX_PASSPHRASE 256
static gcry_err_code_t
geli_rekey (struct grub_cryptodisk *dev, grub_uint64_t zoneno)
{
gcry_err_code_t gcry_err;
const struct {
char magic[4];
grub_uint64_t zone;
} __attribute__ ((packed)) tohash
= { {'e', 'k', 'e', 'y'}, grub_cpu_to_le64 (zoneno) };
grub_uint64_t key[(dev->hash->mdlen + 7) / 8];
grub_dprintf ("geli", "rekeying %" PRIuGRUB_UINT64_T " keysize=%d\n",
zoneno, dev->rekey_derived_size);
gcry_err = grub_crypto_hmac_buffer (dev->hash, dev->rekey_key, 64,
&tohash, sizeof (tohash), key);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
return grub_cryptodisk_setkey (dev, (grub_uint8_t *) key,
dev->rekey_derived_size);
}
static inline int
ascii2hex (char c)
{
if (c >= '0' && c <= '9')
return c - '0';
if (c >= 'a' && c <= 'f')
return c - 'a' + 10;
if (c >= 'A' && c <= 'F')
return c - 'A' + 10;
return 0;
}
static inline gcry_err_code_t
make_uuid (const struct grub_geli_phdr *header,
char *uuid)
{
grub_uint8_t uuidbin[GRUB_MD_SHA256->mdlen];
gcry_err_code_t err;
grub_uint8_t *iptr;
char *optr;
err = grub_crypto_hmac_buffer (GRUB_MD_SHA256,
header->salt, sizeof (header->salt),
"uuid", sizeof ("uuid") - 1, uuidbin);
if (err)
return err;
optr = uuid;
for (iptr = uuidbin; iptr < &uuidbin[ARRAY_SIZE (uuidbin)]; iptr++)
{
grub_snprintf (optr, 3, "%02x", *iptr);
optr += 2;
}
*optr = 0;
return GPG_ERR_NO_ERROR;
}
#ifdef GRUB_UTIL
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <grub/emu/hostdisk.h>
#include <unistd.h>
#include <string.h>
#include <grub/emu/misc.h>
char *
grub_util_get_geli_uuid (const char *dev)
{
int fd = open (dev, O_RDONLY);
grub_uint64_t s;
unsigned log_secsize;
grub_uint8_t hdr[512];
struct grub_geli_phdr *header;
char *uuid;
gcry_err_code_t err;
if (fd < 0)
return NULL;
s = grub_util_get_fd_sectors (fd, &log_secsize);
grub_util_fd_seek (fd, dev, (s << log_secsize) - 512);
uuid = xmalloc (GRUB_MD_SHA256->mdlen * 2 + 1);
if (grub_util_fd_read (fd, (void *) &hdr, 512) < 0)
grub_util_error ("couldn't read ELI metadata");
COMPILE_TIME_ASSERT (sizeof (header) <= 512);
header = (void *) &hdr;
/* Look for GELI magic sequence. */
if (grub_memcmp (header->magic, GELI_MAGIC, sizeof (GELI_MAGIC))
|| grub_le_to_cpu32 (header->version) > 5
|| grub_le_to_cpu32 (header->version) < 1)
grub_util_error ("wrong ELI magic or version");
err = make_uuid ((void *) &hdr, uuid);
if (err)
return NULL;
return uuid;
}
#endif
static grub_cryptodisk_t
configure_ciphers (grub_disk_t disk, const char *check_uuid,
int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
const struct gcry_cipher_spec *ciph;
const char *ciphername = NULL;
gcry_err_code_t gcry_err;
char uuid[GRUB_MD_SHA256->mdlen * 2 + 1];
grub_disk_addr_t sector;
grub_err_t err;
sector = grub_disk_get_size (disk);
if (sector == GRUB_DISK_SIZE_UNKNOWN || sector == 0)
return NULL;
/* Read the GELI header. */
err = grub_disk_read (disk, sector - 1, 0, sizeof (header), &header);
if (err)
return NULL;
/* Look for GELI magic sequence. */
if (grub_memcmp (header.magic, GELI_MAGIC, sizeof (GELI_MAGIC))
|| grub_le_to_cpu32 (header.version) > 5
|| grub_le_to_cpu32 (header.version) < 1)
{
grub_dprintf ("geli", "wrong magic %02x\n", header.magic[0]);
return NULL;
}
if ((grub_le_to_cpu32 (header.sector_size)
& (grub_le_to_cpu32 (header.sector_size) - 1))
|| grub_le_to_cpu32 (header.sector_size) == 0)
{
grub_dprintf ("geli", "incorrect sector size %d\n",
grub_le_to_cpu32 (header.sector_size));
return NULL;
}
if (grub_le_to_cpu32 (header.flags) & GRUB_GELI_FLAGS_ONETIME)
{
grub_dprintf ("geli", "skipping one-time volume\n");
return NULL;
}
if (boot_only && !(grub_le_to_cpu32 (header.flags) & GRUB_GELI_FLAGS_BOOT))
{
grub_dprintf ("geli", "not a boot volume\n");
return NULL;
}
gcry_err = make_uuid (&header, uuid);
if (gcry_err)
{
grub_crypto_gcry_error (gcry_err);
return NULL;
}
if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0)
{
grub_dprintf ("geli", "%s != %s\n", uuid, check_uuid);
return NULL;
}
if (grub_le_to_cpu16 (header.alg) >= ARRAY_SIZE (algorithms)
|| algorithms[grub_le_to_cpu16 (header.alg)] == NULL)
{
grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher 0x%x unknown",
grub_le_to_cpu16 (header.alg));
return NULL;
}
ciphername = algorithms[grub_le_to_cpu16 (header.alg)];
ciph = grub_crypto_lookup_cipher_by_name (ciphername);
if (!ciph)
{
grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
ciphername);
return NULL;
}
/* Configure the cipher used for the bulk data. */
cipher = grub_crypto_cipher_open (ciph);
if (!cipher)
return NULL;
if (grub_le_to_cpu16 (header.alg) == 0x16)
{
secondary_cipher = grub_crypto_cipher_open (ciph);
if (!secondary_cipher)
return NULL;
}
if (grub_le_to_cpu16 (header.keylen) > 1024)
{
grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
grub_le_to_cpu16 (header.keylen));
return NULL;
}
newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
if (!newdev)
return NULL;
newdev->cipher = cipher;
newdev->secondary_cipher = secondary_cipher;
newdev->offset = 0;
newdev->source_disk = NULL;
newdev->benbi_log = 0;
if (grub_le_to_cpu16 (header.alg) == 0x16)
{
newdev->mode = GRUB_CRYPTODISK_MODE_XTS;
newdev->mode_iv = GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64;
}
else
{
newdev->mode = GRUB_CRYPTODISK_MODE_CBC;
newdev->mode_iv = GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64_HASH;
}
newdev->essiv_cipher = NULL;
newdev->essiv_hash = NULL;
newdev->hash = GRUB_MD_SHA512;
newdev->iv_hash = GRUB_MD_SHA256;
for (newdev->log_sector_size = 0;
(1U << newdev->log_sector_size) < grub_le_to_cpu32 (header.sector_size);
newdev->log_sector_size++);
if (grub_le_to_cpu32 (header.version) >= 5)
{
newdev->rekey = geli_rekey;
newdev->rekey_shift = 20;
}
#ifdef GRUB_UTIL
newdev->modname = "geli";
#endif
newdev->total_length = grub_disk_get_size (disk) - 1;
grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= 32 * 2 + 1);
return newdev;
}
static grub_err_t
recover_key (grub_disk_t source, grub_cryptodisk_t dev)
{
grub_size_t keysize;
grub_uint8_t digest[dev->hash->mdlen];
grub_uint8_t geomkey[dev->hash->mdlen];
grub_uint8_t verify_key[dev->hash->mdlen];
grub_uint8_t zero[dev->cipher->cipher->blocksize];
char passphrase[MAX_PASSPHRASE] = "";
unsigned i;
gcry_err_code_t gcry_err;
struct grub_geli_phdr header;
char *tmp;
grub_disk_addr_t sector;
grub_err_t err;
sector = grub_disk_get_size (source);
if (sector == GRUB_DISK_SIZE_UNKNOWN || sector == 0)
return grub_error (GRUB_ERR_OUT_OF_RANGE, "not a geli");
/* Read the GELI header. */
err = grub_disk_read (source, sector - 1, 0, sizeof (header), &header);
if (err)
return err;
keysize = grub_le_to_cpu16 (header.keylen) / 8;
grub_memset (zero, 0, sizeof (zero));
grub_printf ("Attempting to decrypt master key...\n");
/* Get the passphrase from the user. */
tmp = NULL;
if (source->partition)
tmp = grub_partition_get_name (source->partition);
grub_printf ("Enter passphrase for %s%s%s (%s): ", source->name,
source->partition ? "," : "", tmp ? : "",
dev->uuid);
grub_free (tmp);
if (!grub_password_get (passphrase, MAX_PASSPHRASE))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
/* Calculate the PBKDF2 of the user supplied passphrase. */
if (grub_le_to_cpu32 (header.niter) != 0)
{
grub_uint8_t pbkdf_key[64];
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
grub_strlen (passphrase),
header.salt,
sizeof (header.salt),
grub_le_to_cpu32 (header.niter),
pbkdf_key, sizeof (pbkdf_key));
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
gcry_err = grub_crypto_hmac_buffer (dev->hash, NULL, 0, pbkdf_key,
sizeof (pbkdf_key), geomkey);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
}
else
{
struct grub_crypto_hmac_handle *hnd;
hnd = grub_crypto_hmac_init (dev->hash, NULL, 0);
if (!hnd)
return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY);
grub_crypto_hmac_write (hnd, header.salt, sizeof (header.salt));
grub_crypto_hmac_write (hnd, passphrase, grub_strlen (passphrase));
gcry_err = grub_crypto_hmac_fini (hnd, geomkey);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
}
gcry_err = grub_crypto_hmac_buffer (dev->hash, geomkey,
sizeof (geomkey), "\1", 1, digest);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
gcry_err = grub_crypto_hmac_buffer (dev->hash, geomkey,
sizeof (geomkey), "\0", 1, verify_key);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
grub_dprintf ("geli", "keylen = %" PRIuGRUB_SIZE "\n", keysize);
/* Try to recover master key from each active keyslot. */
for (i = 0; i < ARRAY_SIZE (header.keys); i++)
{
struct grub_geli_key candidate_key;
grub_uint8_t key_hmac[dev->hash->mdlen];
/* Check if keyslot is enabled. */
if (! (header.keys_used & (1 << i)))
continue;
grub_dprintf ("geli", "Trying keyslot %d\n", i);
gcry_err = grub_crypto_cipher_set_key (dev->cipher,
digest, keysize);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
gcry_err = grub_crypto_cbc_decrypt (dev->cipher, &candidate_key,
&header.keys[i],
sizeof (candidate_key),
zero);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
gcry_err = grub_crypto_hmac_buffer (dev->hash, verify_key,
sizeof (verify_key),
&candidate_key,
(sizeof (candidate_key)
- sizeof (candidate_key.hmac)),
key_hmac);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
if (grub_memcmp (candidate_key.hmac, key_hmac, dev->hash->mdlen) != 0)
continue;
grub_printf ("Slot %d opened\n", i);
/* Set the master key. */
if (!dev->rekey)
{
grub_size_t real_keysize = keysize;
if (grub_le_to_cpu16 (header.alg) == 0x16)
real_keysize *= 2;
gcry_err = grub_cryptodisk_setkey (dev, candidate_key.cipher_key,
real_keysize);
if (gcry_err)
return grub_crypto_gcry_error (gcry_err);
}
else
{
grub_size_t real_keysize = keysize;
if (grub_le_to_cpu16 (header.alg) == 0x16)
real_keysize *= 2;
/* For a reason I don't know, the IV key is used in rekeying. */
grub_memcpy (dev->rekey_key, candidate_key.iv_key,
sizeof (candidate_key.iv_key));
dev->rekey_derived_size = real_keysize;
dev->last_rekey = -1;
COMPILE_TIME_ASSERT (sizeof (dev->rekey_key)
>= sizeof (candidate_key.iv_key));
}
dev->iv_prefix_len = sizeof (candidate_key.iv_key);
grub_memcpy (dev->iv_prefix, candidate_key.iv_key,
sizeof (candidate_key.iv_key));
COMPILE_TIME_ASSERT (sizeof (dev->iv_prefix) >= sizeof (candidate_key.iv_key));
return GRUB_ERR_NONE;
}
return GRUB_ACCESS_DENIED;
}
struct grub_cryptodisk_dev geli_crypto = {
.scan = configure_ciphers,
.recover_key = recover_key
};
GRUB_MOD_INIT (geli)
{
grub_cryptodisk_dev_register (&geli_crypto);
}
GRUB_MOD_FINI (geli)
{
grub_cryptodisk_dev_unregister (&geli_crypto);
}

470
grub-core/disk/luks.c Normal file
View file

@ -0,0 +1,470 @@
/*
* GRUB -- GRand Unified Bootloader
* Copyright (C) 2003,2007,2010,2011 Free Software Foundation, Inc.
*
* GRUB is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GRUB is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/
#include <grub/cryptodisk.h>
#include <grub/types.h>
#include <grub/misc.h>
#include <grub/mm.h>
#include <grub/dl.h>
#include <grub/err.h>
#include <grub/disk.h>
#include <grub/crypto.h>
#include <grub/partition.h>
#include <grub/i18n.h>
GRUB_MOD_LICENSE ("GPLv3+");
#define MAX_PASSPHRASE 256
#define LUKS_KEY_ENABLED 0x00AC71F3
/* On disk LUKS header */
struct grub_luks_phdr
{
grub_uint8_t magic[6];
#define LUKS_MAGIC "LUKS\xBA\xBE"
grub_uint16_t version;
char cipherName[32];
char cipherMode[32];
char hashSpec[32];
grub_uint32_t payloadOffset;
grub_uint32_t keyBytes;
grub_uint8_t mkDigest[20];
grub_uint8_t mkDigestSalt[32];
grub_uint32_t mkDigestIterations;
char uuid[40];
struct
{
grub_uint32_t active;
grub_uint32_t passwordIterations;
grub_uint8_t passwordSalt[32];
grub_uint32_t keyMaterialOffset;
grub_uint32_t stripes;
} keyblock[8];
} __attribute__ ((packed));
typedef struct grub_luks_phdr *grub_luks_phdr_t;
gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
grub_uint8_t * dst, grub_size_t blocksize,
grub_size_t blocknumbers);
static grub_cryptodisk_t
configure_ciphers (grub_disk_t disk, const char *check_uuid,
int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
struct grub_luks_phdr header;
char *optr;
char uuid[sizeof (header.uuid) + 1];
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char *cipheriv = NULL;
char hashspec[sizeof (header.hashSpec) + 1];
grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
grub_crypto_cipher_handle_t essiv_cipher = NULL;
const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
const struct gcry_cipher_spec *ciph;
grub_cryptodisk_mode_t mode;
grub_cryptodisk_mode_iv_t mode_iv;
int benbi_log = 0;
grub_err_t err;
if (check_boot)
return NULL;
/* Read the LUKS header. */
err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
grub_errno = GRUB_ERR_NONE;
return NULL;
}
/* Look for LUKS magic sequence. */
if (grub_memcmp (header.magic, LUKS_MAGIC, sizeof (header.magic))
|| grub_be_to_cpu16 (header.version) != 1)
return NULL;
optr = uuid;
for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
iptr++)
{
if (*iptr != '-')
*optr++ = *iptr;
}
*optr = 0;
if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0)
{
grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
return NULL;
}
/* Make sure that strings are null terminated. */
grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
ciphername[sizeof (header.cipherName)] = 0;
grub_memcpy (ciphermode, header.cipherMode, sizeof (header.cipherMode));
ciphermode[sizeof (header.cipherMode)] = 0;
grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
hashspec[sizeof (header.hashSpec)] = 0;
ciph = grub_crypto_lookup_cipher_by_name (ciphername);
if (!ciph)
{
grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
ciphername);
return NULL;
}
/* Configure the cipher used for the bulk data. */
cipher = grub_crypto_cipher_open (ciph);
if (!cipher)
return NULL;
if (grub_be_to_cpu32 (header.keyBytes) > 1024)
{
grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
grub_be_to_cpu32 (header.keyBytes));
return NULL;
}
/* Configure the cipher mode. */
if (grub_strcmp (ciphermode, "ecb") == 0)
{
mode = GRUB_CRYPTODISK_MODE_ECB;
mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
cipheriv = NULL;
}
else if (grub_strcmp (ciphermode, "plain") == 0)
{
mode = GRUB_CRYPTODISK_MODE_CBC;
mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
cipheriv = NULL;
}
else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
{
mode = GRUB_CRYPTODISK_MODE_CBC;
cipheriv = ciphermode + sizeof ("cbc-") - 1;
}
else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
{
mode = GRUB_CRYPTODISK_MODE_PCBC;
cipheriv = ciphermode + sizeof ("pcbc-") - 1;
}
else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
{
mode = GRUB_CRYPTODISK_MODE_XTS;
cipheriv = ciphermode + sizeof ("xts-") - 1;
secondary_cipher = grub_crypto_cipher_open (ciph);
if (!secondary_cipher)
{
grub_crypto_cipher_close (cipher);
return NULL;
}
if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
{
grub_crypto_cipher_close (cipher);
grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
cipher->cipher->blocksize);
return NULL;
}
if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
{
grub_crypto_cipher_close (cipher);
grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
secondary_cipher->cipher->blocksize);
return NULL;
}
}
else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
{
mode = GRUB_CRYPTODISK_MODE_LRW;
cipheriv = ciphermode + sizeof ("lrw-") - 1;
if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
{
grub_crypto_cipher_close (cipher);
grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
cipher->cipher->blocksize);
return NULL;
}
}
else
{
grub_crypto_cipher_close (cipher);
grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
ciphermode);
return NULL;
}
if (cipheriv == NULL);
else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
{
if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
|| cipher->cipher->blocksize == 0)
grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
cipher->cipher->blocksize);
for (benbi_log = 0;
(cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
benbi_log++);
mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
}
else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
{
char *hash_str = cipheriv + 6;
mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
/* Configure the hash and cipher used for ESSIV. */
essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
if (!essiv_hash)
{
grub_crypto_cipher_close (cipher);
grub_error (GRUB_ERR_FILE_NOT_FOUND,
"Couldn't load %s hash", hash_str);
return NULL;
}
essiv_cipher = grub_crypto_cipher_open (ciph);
if (!essiv_cipher)
{
grub_crypto_cipher_close (cipher);
return NULL;
}
}
else
{
grub_crypto_cipher_close (cipher);
grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
cipheriv);
return NULL;
}
/* Configure the hash used for the AF splitter and HMAC. */
hash = grub_crypto_lookup_md_by_name (hashspec);
if (!hash)
{
grub_crypto_cipher_close (cipher);
grub_crypto_cipher_close (essiv_cipher);
grub_crypto_cipher_close (secondary_cipher);
grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
hashspec);
return NULL;
}
newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
if (!newdev)
return NULL;
newdev->cipher = cipher;
newdev->offset = grub_be_to_cpu32 (header.payloadOffset);
newdev->source_disk = NULL;
newdev->benbi_log = benbi_log;
newdev->mode = mode;
newdev->mode_iv = mode_iv;
newdev->secondary_cipher = secondary_cipher;
newdev->essiv_cipher = essiv_cipher;
newdev->essiv_hash = essiv_hash;
newdev->hash = hash;
newdev->log_sector_size = 9;
newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
#ifdef GRUB_UTIL
newdev->modname = "luks";
#endif
COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
return newdev;
}
static grub_err_t
luks_recover_key (grub_disk_t source,
grub_cryptodisk_t dev)
{
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
char passphrase[MAX_PASSPHRASE] = "";
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
grub_err_t err;
grub_size_t max_stripes = 1;
char *tmp;
err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
grub_printf ("Attempting to decrypt master key...\n");
keysize = grub_be_to_cpu32 (header.keyBytes);
for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
&& grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
split_key = grub_malloc (keysize * max_stripes);
if (!split_key)
return grub_errno;
/* Get the passphrase from the user. */
tmp = NULL;
if (source->partition)
tmp = grub_partition_get_name (source->partition);
grub_printf ("Enter passphrase for %s%s%s (%s): ", source->name,
source->partition ? "," : "", tmp ? : "",
dev->uuid);
grub_free (tmp);
if (!grub_password_get (passphrase, MAX_PASSPHRASE))
{
grub_free (split_key);
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
}
/* Try to recover master key from each active keyslot. */
for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
{
gcry_err_code_t gcry_err;
grub_uint8_t candidate_key[keysize];
grub_uint8_t digest[keysize];
/* Check if keyslot is enabled. */
if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
continue;
grub_dprintf ("luks", "Trying keyslot %d\n", i);
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
grub_strlen (passphrase),
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
passwordIterations),
digest, keysize);
if (gcry_err)
{
grub_free (split_key);
return grub_crypto_gcry_error (gcry_err);
}
grub_dprintf ("luks", "PBKDF2 done\n");
gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
if (gcry_err)
{
grub_free (split_key);
return grub_crypto_gcry_error (gcry_err);
}
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
err = grub_disk_read (source,
grub_be_to_cpu32 (header.keyblock
[i].keyMaterialOffset), 0,
length, split_key);
if (err)
{
grub_free (split_key);
return err;
}
gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
if (gcry_err)
{
grub_free (split_key);
return grub_crypto_gcry_error (gcry_err);
}
/* Merge the decrypted key material to get the candidate master key. */
gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
grub_be_to_cpu32 (header.keyblock[i].stripes));
if (gcry_err)
{
grub_free (split_key);
return grub_crypto_gcry_error (gcry_err);
}
grub_dprintf ("luks", "candidate key recovered\n");
/* Calculate the PBKDF2 of the candidate master key. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
grub_be_to_cpu32 (header.keyBytes),
header.mkDigestSalt,
sizeof (header.mkDigestSalt),
grub_be_to_cpu32
(header.mkDigestIterations),
candidate_digest,
sizeof (candidate_digest));
if (gcry_err)
{
grub_free (split_key);
return grub_crypto_gcry_error (gcry_err);
}
/* Compare the calculated PBKDF2 to the digest stored
in the header to see if it's correct. */
if (grub_memcmp (candidate_digest, header.mkDigest,
sizeof (header.mkDigest)) != 0)
{
grub_dprintf ("luks", "bad digest\n");
continue;
}
grub_printf ("Slot %d opened\n", i);
/* Set the master key. */
gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
if (gcry_err)
{
grub_free (split_key);
return grub_crypto_gcry_error (gcry_err);
}
grub_free (split_key);
return GRUB_ERR_NONE;
}
return GRUB_ACCESS_DENIED;
}
struct grub_cryptodisk_dev luks_crypto = {
.scan = configure_ciphers,
.recover_key = luks_recover_key
};
GRUB_MOD_INIT (luks)
{
COMPILE_TIME_ASSERT (sizeof (((struct grub_luks_phdr *) 0)->uuid)
< GRUB_CRYPTODISK_MAX_UUID_LENGTH);
grub_cryptodisk_dev_register (&luks_crypto);
}
GRUB_MOD_FINI (luks)
{
grub_cryptodisk_dev_unregister (&luks_crypto);
}

View file

@ -33,6 +33,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <stdint.h> #include <stdint.h>
#include <grub/util/misc.h> #include <grub/util/misc.h>
#include <grub/cryptodisk.h>
#ifdef HAVE_DEVICE_MAPPER #ifdef HAVE_DEVICE_MAPPER
# include <libdevmapper.h> # include <libdevmapper.h>
@ -698,58 +699,189 @@ grub_util_open_dm (const char *os_dev, struct dm_tree **tree,
#endif #endif
static int static char *
grub_util_is_lvm (const char *os_dev) get_dm_uuid (const char *os_dev)
{ {
if ((strncmp ("/dev/mapper/", os_dev, 12) != 0)) if ((strncmp ("/dev/mapper/", os_dev, 12) != 0))
return 0; return NULL;
#ifdef HAVE_DEVICE_MAPPER #ifdef HAVE_DEVICE_MAPPER
{ {
const char *node_uuid;
struct dm_tree *tree; struct dm_tree *tree;
struct dm_tree_node *node; struct dm_tree_node *node;
const char *node_uuid;
char *ret;
if (!grub_util_open_dm (os_dev, &tree, &node)) if (!grub_util_open_dm (os_dev, &tree, &node))
return 0; return NULL;
node_uuid = dm_tree_node_get_uuid (node); node_uuid = dm_tree_node_get_uuid (node);
if (! node_uuid) if (! node_uuid)
{ {
grub_dprintf ("hostdisk", "%s has no DM uuid\n", os_dev); grub_dprintf ("hostdisk", "%s has no DM uuid\n", os_dev);
dm_tree_free (tree); dm_tree_free (tree);
return 0; return NULL;
} }
if (strncmp (node_uuid, "LVM-", 4) != 0)
{ ret = grub_strdup (node_uuid);
dm_tree_free (tree); dm_tree_free (tree);
return 0;
return ret;
} }
dm_tree_free (tree); #endif
return 1;
} return NULL;
#else
return 1;
#endif /* HAVE_DEVICE_MAPPER */
} }
static enum grub_dev_abstraction_types
grub_util_get_dm_abstraction (const char *os_dev)
{
#ifdef HAVE_DEVICE_MAPPER
char *uuid;
uuid = get_dm_uuid (os_dev);
if (uuid == NULL)
return GRUB_DEV_ABSTRACTION_NONE;
if (strncmp (uuid, "LVM-", 4) == 0)
{
grub_free (uuid);
return GRUB_DEV_ABSTRACTION_LVM;
}
if (strncmp (uuid, "CRYPT-LUKS1-", 4) == 0)
{
grub_free (uuid);
return GRUB_DEV_ABSTRACTION_LUKS;
}
grub_free (uuid);
return GRUB_DEV_ABSTRACTION_NONE;
#else
if ((strncmp ("/dev/mapper/", os_dev, 12) != 0))
return GRUB_DEV_ABSTRACTION_NONE;
return GRUB_DEV_ABSTRACTION_LVM;
#endif
}
#if defined (__FreeBSD__) || defined(__FreeBSD_kernel__)
#include <libgeom.h>
/* FIXME: geom actually gives us the whole container hierarchy.
It can be used more efficiently than this. */
void
grub_util_follow_gpart_up (const char *name, grub_disk_addr_t *off_out, char **name_out)
{
struct gmesh mesh;
struct gclass *class;
int error;
struct ggeom *geom;
grub_util_info ("following geom '%s'", name);
error = geom_gettree (&mesh);
if (error != 0)
grub_util_error ("couldn't open geom");
LIST_FOREACH (class, &mesh.lg_class, lg_class)
if (strcasecmp (class->lg_name, "part") == 0)
break;
if (!class)
grub_util_error ("couldn't open geom part");
LIST_FOREACH (geom, &class->lg_geom, lg_geom)
{
struct gprovider *provider;
LIST_FOREACH (provider, &geom->lg_provider, lg_provider)
if (strcmp (provider->lg_name, name) == 0)
{
char *name_tmp = xstrdup (geom->lg_name);
grub_disk_addr_t off = 0;
struct gconfig *config;
grub_util_info ("geom '%s' has parent '%s'", name, geom->lg_name);
grub_util_follow_gpart_up (name_tmp, &off, name_out);
free (name_tmp);
LIST_FOREACH (config, &provider->lg_config, lg_config)
if (strcasecmp (config->lg_name, "start") == 0)
off += strtoull (config->lg_val, 0, 10);
if (off_out)
*off_out = off;
return;
}
}
grub_util_info ("geom '%s' has no parent", name);
if (name_out)
*name_out = xstrdup (name);
if (off_out)
*off_out = 0;
}
static const char *
grub_util_get_geom_abstraction (const char *dev)
{
char *whole;
struct gmesh mesh;
struct gclass *class;
const char *name;
int error;
if (strncmp (dev, "/dev/", sizeof ("/dev/") - 1) != 0)
return 0;
name = dev + sizeof ("/dev/") - 1;
grub_util_follow_gpart_up (name, NULL, &whole);
grub_util_info ("following geom '%s'", name);
error = geom_gettree (&mesh);
if (error != 0)
grub_util_error ("couldn't open geom");
LIST_FOREACH (class, &mesh.lg_class, lg_class)
{
struct ggeom *geom;
LIST_FOREACH (geom, &class->lg_geom, lg_geom)
{
struct gprovider *provider;
LIST_FOREACH (provider, &geom->lg_provider, lg_provider)
if (strcmp (provider->lg_name, name) == 0)
return class->lg_name;
}
}
return NULL;
}
#endif
int int
grub_util_get_dev_abstraction (const char *os_dev __attribute__((unused))) grub_util_get_dev_abstraction (const char *os_dev __attribute__((unused)))
{ {
#ifdef __linux__ #ifdef __linux__
enum grub_dev_abstraction_types ret;
/* User explicitly claims that this drive is visible by BIOS. */ /* User explicitly claims that this drive is visible by BIOS. */
if (grub_util_biosdisk_is_present (os_dev)) if (grub_util_biosdisk_is_present (os_dev))
return GRUB_DEV_ABSTRACTION_NONE; return GRUB_DEV_ABSTRACTION_NONE;
/* Check for LVM. */ /* Check for LVM and LUKS. */
if (grub_util_is_lvm (os_dev)) ret = grub_util_get_dm_abstraction (os_dev);
return GRUB_DEV_ABSTRACTION_LVM;
if (ret != GRUB_DEV_ABSTRACTION_NONE)
return ret;
/* Check for RAID. */ /* Check for RAID. */
if (!strncmp (os_dev, "/dev/md", 7) && ! grub_util_device_is_mapped (os_dev)) if (!strncmp (os_dev, "/dev/md", 7) && ! grub_util_device_is_mapped (os_dev))
return GRUB_DEV_ABSTRACTION_RAID; return GRUB_DEV_ABSTRACTION_RAID;
#endif #endif
#if defined (__FreeBSD__) || defined(__FreeBSD_kernel__)
const char *abs;
abs = grub_util_get_geom_abstraction (os_dev);
grub_util_info ("abstraction of %s is %s", os_dev, abs);
if (abs && grub_strcasecmp (abs, "eli") == 0)
return GRUB_DEV_ABSTRACTION_GELI;
#endif
/* No abstraction found. */ /* No abstraction found. */
return GRUB_DEV_ABSTRACTION_NONE; return GRUB_DEV_ABSTRACTION_NONE;
} }
@ -838,15 +970,84 @@ out:
void void
grub_util_pull_device (const char *os_dev) grub_util_pull_device (const char *os_dev)
{ {
switch (grub_util_get_dev_abstraction (os_dev)) int ab;
ab = grub_util_get_dev_abstraction (os_dev);
switch (ab)
{ {
case GRUB_DEV_ABSTRACTION_GELI:
{
char *whole;
struct gmesh mesh;
struct gclass *class;
const char *name;
int error;
char *lastsubdev = NULL;
if (strncmp (os_dev, "/dev/", sizeof ("/dev/") - 1) != 0)
return;
name = os_dev + sizeof ("/dev/") - 1;
grub_util_follow_gpart_up (name, NULL, &whole);
grub_util_info ("following geom '%s'", name);
error = geom_gettree (&mesh);
if (error != 0)
grub_util_error ("couldn't open geom");
LIST_FOREACH (class, &mesh.lg_class, lg_class)
{
struct ggeom *geom;
LIST_FOREACH (geom, &class->lg_geom, lg_geom)
{
struct gprovider *provider;
LIST_FOREACH (provider, &geom->lg_provider, lg_provider)
if (strcmp (provider->lg_name, name) == 0)
{
struct gconsumer *consumer;
char *fname;
char *uuid;
LIST_FOREACH (consumer, &geom->lg_consumer, lg_consumer)
break;
if (!consumer)
grub_util_error ("couldn't find geli consumer");
fname = xasprintf ("/dev/%s", consumer->lg_provider->lg_name);
grub_util_info ("consumer %s", consumer->lg_provider->lg_name);
lastsubdev = consumer->lg_provider->lg_name;
grub_util_pull_device (fname);
free (fname);
}
}
}
if (ab == GRUB_DEV_ABSTRACTION_GELI && lastsubdev)
{
char *fname = xasprintf ("/dev/%s", lastsubdev);
char *grdev = grub_util_get_grub_dev (fname);
free (fname);
if (grdev)
{
grub_err_t err;
err = grub_cryptodisk_cheat_mount (grdev, os_dev);
if (err)
grub_util_error ("Can't mount crypto: %s", grub_errmsg);
}
grub_free (grdev);
}
}
break;
case GRUB_DEV_ABSTRACTION_LVM: case GRUB_DEV_ABSTRACTION_LVM:
case GRUB_DEV_ABSTRACTION_LUKS:
#ifdef HAVE_DEVICE_MAPPER #ifdef HAVE_DEVICE_MAPPER
{ {
struct dm_tree *tree; struct dm_tree *tree;
struct dm_tree_node *node; struct dm_tree_node *node;
struct dm_tree_node *child; struct dm_tree_node *child;
void *handle = NULL; void *handle = NULL;
char *lastsubdev = NULL;
if (!grub_util_open_dm (os_dev, &tree, &node)) if (!grub_util_open_dm (os_dev, &tree, &node))
return; return;
@ -859,8 +1060,25 @@ grub_util_pull_device (const char *os_dev)
continue; continue;
subdev = grub_find_device ("/dev", makedev (dm->major, dm->minor)); subdev = grub_find_device ("/dev", makedev (dm->major, dm->minor));
if (subdev) if (subdev)
{
lastsubdev = subdev;
grub_util_pull_device (subdev); grub_util_pull_device (subdev);
} }
}
if (ab == GRUB_DEV_ABSTRACTION_CRYPTO && lastsubdev)
{
char *grdev = grub_util_get_grub_dev (lastsubdev);
dm_tree_free (tree);
if (grdev)
{
grub_err_t err;
err = grub_luks_cheat_mount (grdev, os_dev);
if (err)
grub_util_error ("Can't mount crypto: %s", grub_errmsg);
}
grub_free (grdev);
}
else
dm_tree_free (tree); dm_tree_free (tree);
} }
#endif #endif
@ -907,6 +1125,70 @@ grub_util_get_grub_dev (const char *os_dev)
break; break;
case GRUB_DEV_ABSTRACTION_LUKS:
{
char *uuid, *dash;
uuid = get_dm_uuid (os_dev);
if (!uuid)
break;
dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS1-") - 1, '-');
if (dash)
*dash = 0;
grub_dev = grub_xasprintf ("cryptouuid/%s",
uuid + sizeof ("CRYPT-LUKS1-") - 1);
grub_free (uuid);
}
break;
case GRUB_DEV_ABSTRACTION_GELI:
{
char *whole;
struct gmesh mesh;
struct gclass *class;
const char *name;
int error;
if (strncmp (os_dev, "/dev/", sizeof ("/dev/") - 1) != 0)
return 0;
name = os_dev + sizeof ("/dev/") - 1;
grub_util_follow_gpart_up (name, NULL, &whole);
grub_util_info ("following geom '%s'", name);
error = geom_gettree (&mesh);
if (error != 0)
grub_util_error ("couldn't open geom");
LIST_FOREACH (class, &mesh.lg_class, lg_class)
{
struct ggeom *geom;
LIST_FOREACH (geom, &class->lg_geom, lg_geom)
{
struct gprovider *provider;
LIST_FOREACH (provider, &geom->lg_provider, lg_provider)
if (strcmp (provider->lg_name, name) == 0)
{
struct gconsumer *consumer;
char *fname;
char *uuid;
LIST_FOREACH (consumer, &geom->lg_consumer, lg_consumer)
break;
if (!consumer)
grub_util_error ("couldn't find geli consumer");
fname = xasprintf ("/dev/%s", consumer->lg_provider->lg_name);
uuid = grub_util_get_geli_uuid (fname);
if (!uuid)
grub_util_error ("couldn't retrieve geli UUID");
grub_dev = xasprintf ("cryptouuid/%s", uuid);
free (fname);
free (uuid);
}
}
}
}
break;
case GRUB_DEV_ABSTRACTION_RAID: case GRUB_DEV_ABSTRACTION_RAID:
if (os_dev[7] == '_' && os_dev[8] == 'd') if (os_dev[7] == '_' && os_dev[8] == 'd')

View file

@ -106,9 +106,7 @@ struct hd_geometry
# include <libdevmapper.h> # include <libdevmapper.h>
#endif #endif
#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) #if defined(__NetBSD__)
#include <libgeom.h>
#elif defined(__NetBSD__)
# define HAVE_DIOCGDINFO # define HAVE_DIOCGDINFO
# include <sys/ioctl.h> # include <sys/ioctl.h>
# include <sys/disklabel.h> /* struct disklabel */ # include <sys/disklabel.h> /* struct disklabel */
@ -226,6 +224,82 @@ grub_util_biosdisk_iterate (int (*hook) (const char *name),
return 0; return 0;
} }
#if !defined(__MINGW32__)
grub_uint64_t
grub_util_get_fd_sectors (int fd, unsigned *log_secsize)
{
#if defined(__linux__) || defined(__CYGWIN__) || defined(__FreeBSD__) || \
defined(__FreeBSD_kernel__) || defined(__APPLE__) || defined(__NetBSD__)
# if defined(__NetBSD__)
struct disklabel label;
# else
unsigned long long nr;
# endif
unsigned sector_size, log_sector_size;
struct stat st;
if (fstat (fd, &st) < 0)
grub_util_error ("fstat failed");
# if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__APPLE__) || defined(__NetBSD__)
if (! S_ISCHR (st.st_mode))
# else
if (! S_ISBLK (st.st_mode))
# endif
goto fail;
# if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
if (ioctl (fd, DIOCGMEDIASIZE, &nr))
# elif defined(__APPLE__)
if (ioctl (fd, DKIOCGETBLOCKCOUNT, &nr))
# elif defined(__NetBSD__)
configure_device_driver (fd);
if (ioctl (fd, DIOCGDINFO, &label) == -1)
# else
if (ioctl (fd, BLKGETSIZE64, &nr))
# endif
goto fail;
# if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
if (ioctl (fd, DIOCGSECTORSIZE, &sector_size))
# else
if (ioctl (fd, BLKSSZGET, &sector_size))
# endif
goto fail;
if (sector_size & (sector_size - 1) || !sector_size)
goto fail;
for (log_sector_size = 0;
(1 << log_sector_size) < sector_size;
log_sector_size++);
if (log_secsize)
*log_secsize = log_sector_size;
# if defined (__APPLE__)
return nr;
# elif defined(__NetBSD__)
return label.d_secperunit;
# else
if (nr & ((1 << log_sector_size) - 1))
grub_util_error ("unaligned device size");
return (nr >> log_sector_size);
# endif
fail:
/* In GNU/Hurd, stat() will return the right size. */
#elif !defined (__GNU__)
# warning "No special routine to get the size of a block device is implemented for your OS. This is not possibly fatal."
#endif
if (log_secsize)
*log_secsize = 9;
return st.st_size >> 9;
}
#endif
static grub_err_t static grub_err_t
grub_util_biosdisk_open (const char *name, grub_disk_t disk) grub_util_biosdisk_open (const char *name, grub_disk_t disk)
{ {
@ -261,90 +335,30 @@ grub_util_biosdisk_open (const char *name, grub_disk_t disk)
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
} }
#elif defined(__linux__) || defined(__CYGWIN__) || defined(__FreeBSD__) || \ #else
defined(__FreeBSD_kernel__) || defined(__APPLE__) || defined(__NetBSD__)
{ {
# if defined(__NetBSD__)
struct disklabel label;
# else
unsigned long long nr;
# endif
int sector_size;
int fd; int fd;
fd = open (map[drive].device, O_RDONLY); fd = open (map[drive].device, O_RDONLY);
if (fd == -1) if (fd == -1)
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "cannot open `%s' while attempting to get disk size", map[drive].device); return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "cannot open `%s' while attempting to get disk size", map[drive].device);
disk->total_sectors = grub_util_get_fd_sectors (fd, &disk->log_sector_size);
# if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__APPLE__) || defined(__NetBSD__) # if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__APPLE__) || defined(__NetBSD__)
if (fstat (fd, &st) < 0 || ! S_ISCHR (st.st_mode)) if (fstat (fd, &st) < 0 || ! S_ISCHR (st.st_mode))
# else # else
if (fstat (fd, &st) < 0 || ! S_ISBLK (st.st_mode)) if (fstat (fd, &st) < 0 || ! S_ISBLK (st.st_mode))
# endif # endif
{
close (fd);
goto fail;
}
data->is_disk = 1; data->is_disk = 1;
# if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
if (ioctl (fd, DIOCGMEDIASIZE, &nr))
# elif defined(__APPLE__)
if (ioctl (fd, DKIOCGETBLOCKCOUNT, &nr))
# elif defined(__NetBSD__)
configure_device_driver (fd);
if (ioctl (fd, DIOCGDINFO, &label) == -1)
# else
if (ioctl (fd, BLKGETSIZE64, &nr))
# endif
{
close (fd); close (fd);
goto fail;
}
if (ioctl (fd, BLKSSZGET, &sector_size))
{
close (fd);
goto fail;
}
close (fd);
if (sector_size & (sector_size - 1) || !sector_size)
goto fail;
for (disk->log_sector_size = 0;
(1 << disk->log_sector_size) < sector_size;
disk->log_sector_size++);
# if defined (__APPLE__)
disk->total_sectors = nr;
# elif defined(__NetBSD__)
disk->total_sectors = label.d_secperunit;
# else
disk->total_sectors = nr >> disk->log_sector_size;
if (nr & ((1 << disk->log_sector_size) - 1))
grub_util_error ("unaligned device size");
# endif
grub_util_info ("the size of %s is %llu", name, disk->total_sectors); grub_util_info ("the size of %s is %llu", name, disk->total_sectors);
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
} }
fail:
/* In GNU/Hurd, stat() will return the right size. */
#elif !defined (__GNU__)
# warning "No special routine to get the size of a block device is implemented for your OS. This is not possibly fatal."
#endif #endif
if (stat (map[drive].device, &st) < 0)
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "cannot stat `%s'", map[drive].device);
disk->total_sectors = st.st_size >> disk->log_sector_size;
grub_util_info ("the size of %s is %lu", name, disk->total_sectors);
return GRUB_ERR_NONE;
} }
int int
@ -366,55 +380,6 @@ grub_util_device_is_mapped (const char *dev)
} }
#if defined (__FreeBSD__) || defined(__FreeBSD_kernel__) #if defined (__FreeBSD__) || defined(__FreeBSD_kernel__)
/* FIXME: geom actually gives us the whole container hierarchy.
It can be used more efficiently than this. */
static void
follow_geom_up (const char *name, grub_disk_addr_t *off_out, char **name_out)
{
struct gmesh mesh;
struct gclass *class;
int error;
struct ggeom *geom;
grub_util_info ("following geom '%s'", name);
error = geom_gettree (&mesh);
if (error != 0)
grub_util_error ("couldn't open geom");
LIST_FOREACH (class, &mesh.lg_class, lg_class)
if (strcasecmp (class->lg_name, "part") == 0)
break;
if (!class)
grub_util_error ("couldn't open geom part");
LIST_FOREACH (geom, &class->lg_geom, lg_geom)
{
struct gprovider *provider;
LIST_FOREACH (provider, &geom->lg_provider, lg_provider)
if (strcmp (provider->lg_name, name) == 0)
{
char *name_tmp = xstrdup (geom->lg_name);
grub_disk_addr_t off = 0;
struct gconfig *config;
grub_util_info ("geom '%s' has parent '%s'", name, geom->lg_name);
follow_geom_up (name_tmp, &off, name_out);
free (name_tmp);
LIST_FOREACH (config, &provider->lg_config, lg_config)
if (strcasecmp (config->lg_name, "start") == 0)
off += strtoull (config->lg_val, 0, 10);
if (off_out)
*off_out = off;
return;
}
}
grub_util_info ("geom '%s' has no parent", name);
if (name_out)
*name_out = xstrdup (name);
if (off_out)
*off_out = 0;
}
static grub_disk_addr_t static grub_disk_addr_t
find_partition_start (const char *dev) find_partition_start (const char *dev)
@ -422,10 +387,11 @@ find_partition_start (const char *dev)
grub_disk_addr_t out; grub_disk_addr_t out;
if (strncmp (dev, "/dev/", sizeof ("/dev/") - 1) != 0) if (strncmp (dev, "/dev/", sizeof ("/dev/") - 1) != 0)
return 0; return 0;
follow_geom_up (dev + sizeof ("/dev/") - 1, &out, NULL); grub_util_follow_gpart_up (dev + sizeof ("/dev/") - 1, &out, NULL);
return out; return out;
} }
#elif defined(__linux__) || defined(__CYGWIN__) || defined(HAVE_DIOCGDINFO) #elif defined(__linux__) || defined(__CYGWIN__) || defined(HAVE_DIOCGDINFO)
static grub_disk_addr_t static grub_disk_addr_t
find_partition_start (const char *dev) find_partition_start (const char *dev)
@ -657,6 +623,37 @@ linux_find_partition (char *dev, grub_disk_addr_t sector)
} }
#endif /* __linux__ */ #endif /* __linux__ */
#if defined(__linux__) && (!defined(__GLIBC__) || \
((__GLIBC__ < 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ < 1))))
/* Maybe libc doesn't have large file support. */
grub_err_t
grub_util_fd_seek (int fd, const char *name, grub_uint64_t off)
{
loff_t offset, result;
static int _llseek (uint filedes, ulong hi, ulong lo,
loff_t *res, uint wh);
_syscall5 (int, _llseek, uint, filedes, ulong, hi, ulong, lo,
loff_t *, res, uint, wh);
offset = (loff_t) off;
if (_llseek (fd, offset >> 32, offset & 0xffffffff, &result, SEEK_SET))
{
return grub_error (GRUB_ERR_BAD_DEVICE, "cannot seek `%s'", name);
}
return GRUB_ERR_NONE;
}
#else
grub_err_t
grub_util_fd_seek (int fd, const char *name, grub_uint64_t off)
{
off_t offset = (off_t) off;
if (lseek (fd, offset, SEEK_SET) != offset)
return grub_error (GRUB_ERR_BAD_DEVICE, "cannot seek `%s'", name);
return 0;
}
#endif
static int static int
open_device (const grub_disk_t disk, grub_disk_addr_t sector, int flags) open_device (const grub_disk_t disk, grub_disk_addr_t sector, int flags)
{ {
@ -809,44 +806,20 @@ open_device (const grub_disk_t disk, grub_disk_addr_t sector, int flags)
configure_device_driver (fd); configure_device_driver (fd);
#endif /* defined(__NetBSD__) */ #endif /* defined(__NetBSD__) */
#if defined(__linux__) && (!defined(__GLIBC__) || \ if (grub_util_fd_seek (fd, map[disk->id].device,
((__GLIBC__ < 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ < 1)))) sector << disk->log_sector_size))
/* Maybe libc doesn't have large file support. */
{ {
loff_t offset, result;
static int _llseek (uint filedes, ulong hi, ulong lo,
loff_t *res, uint wh);
_syscall5 (int, _llseek, uint, filedes, ulong, hi, ulong, lo,
loff_t *, res, uint, wh);
offset = (loff_t) sector << disk->log_sector_size;
if (_llseek (fd, offset >> 32, offset & 0xffffffff, &result, SEEK_SET))
{
grub_error (GRUB_ERR_BAD_DEVICE, "cannot seek `%s'", map[disk->id].device);
close (fd); close (fd);
return -1; return -1;
} }
}
#else
{
off_t offset = (off_t) sector << disk->log_sector_size;
if (lseek (fd, offset, SEEK_SET) != offset)
{
grub_error (GRUB_ERR_BAD_DEVICE, "cannot seek `%s'", map[disk->id].device);
close (fd);
return -1;
}
}
#endif
return fd; return fd;
} }
/* Read LEN bytes from FD in BUF. Return less than or equal to zero if an /* Read LEN bytes from FD in BUF. Return less than or equal to zero if an
error occurs, otherwise return LEN. */ error occurs, otherwise return LEN. */
static ssize_t ssize_t
nread (int fd, char *buf, size_t len) grub_util_fd_read (int fd, char *buf, size_t len)
{ {
ssize_t size = len; ssize_t size = len;
@ -929,7 +902,7 @@ grub_util_biosdisk_read (grub_disk_t disk, grub_disk_addr_t sector,
sectors that are read together with the MBR in one read. It sectors that are read together with the MBR in one read. It
should only remap the MBR, so we split the read in two should only remap the MBR, so we split the read in two
parts. -jochen */ parts. -jochen */
if (nread (fd, buf, (1 << disk->log_sector_size)) if (grub_util_fd_read (fd, buf, (1 << disk->log_sector_size))
!= (1 << disk->log_sector_size)) != (1 << disk->log_sector_size))
{ {
grub_error (GRUB_ERR_READ_ERROR, "cannot read `%s'", map[disk->id].device); grub_error (GRUB_ERR_READ_ERROR, "cannot read `%s'", map[disk->id].device);
@ -941,7 +914,7 @@ grub_util_biosdisk_read (grub_disk_t disk, grub_disk_addr_t sector,
} }
#endif /* __linux__ */ #endif /* __linux__ */
if (nread (fd, buf, size << disk->log_sector_size) if (grub_util_fd_read (fd, buf, size << disk->log_sector_size)
!= (ssize_t) (size << disk->log_sector_size)) != (ssize_t) (size << disk->log_sector_size))
grub_error (GRUB_ERR_READ_ERROR, "cannot read from `%s'", map[disk->id].device); grub_error (GRUB_ERR_READ_ERROR, "cannot read from `%s'", map[disk->id].device);
@ -1516,7 +1489,7 @@ devmapper_out:
char *out, *out2; char *out, *out2;
if (strncmp (os_dev, "/dev/", sizeof ("/dev/") - 1) != 0) if (strncmp (os_dev, "/dev/", sizeof ("/dev/") - 1) != 0)
return xstrdup (os_dev); return xstrdup (os_dev);
follow_geom_up (os_dev + sizeof ("/dev/") - 1, NULL, &out); grub_util_follow_gpart_up (os_dev + sizeof ("/dev/") - 1, NULL, &out);
out2 = xasprintf ("/dev/%s", out); out2 = xasprintf ("/dev/%s", out);
free (out); free (out);
@ -1675,6 +1648,8 @@ grub_util_biosdisk_get_grub_dev (const char *os_dev)
struct stat st; struct stat st;
int drive; int drive;
grub_util_info ("Looking for %s", os_dev);
if (stat (os_dev, &st) < 0) if (stat (os_dev, &st) < 0)
{ {
grub_error (GRUB_ERR_BAD_DEVICE, "cannot stat `%s'", os_dev); grub_error (GRUB_ERR_BAD_DEVICE, "cannot stat `%s'", os_dev);

View file

@ -23,6 +23,13 @@
#include <grub/term.h> #include <grub/term.h>
#include <grub/dl.h> #include <grub/dl.h>
#ifdef GRUB_UTIL
#include <termios.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#endif
GRUB_MOD_LICENSE ("GPLv3+"); GRUB_MOD_LICENSE ("GPLv3+");
struct grub_crypto_hmac_handle struct grub_crypto_hmac_handle
@ -186,9 +193,10 @@ grub_crypto_xor (void *out, const void *in1, const void *in2, grub_size_t size)
gcry_err_code_t gcry_err_code_t
grub_crypto_ecb_decrypt (grub_crypto_cipher_handle_t cipher, grub_crypto_ecb_decrypt (grub_crypto_cipher_handle_t cipher,
void *out, void *in, grub_size_t size) void *out, const void *in, grub_size_t size)
{ {
grub_uint8_t *inptr, *outptr, *end; const grub_uint8_t *inptr;
grub_uint8_t *outptr, *end;
if (!cipher->cipher->decrypt) if (!cipher->cipher->decrypt)
return GPG_ERR_NOT_SUPPORTED; return GPG_ERR_NOT_SUPPORTED;
if (size % cipher->cipher->blocksize != 0) if (size % cipher->cipher->blocksize != 0)
@ -242,10 +250,11 @@ grub_crypto_cbc_encrypt (grub_crypto_cipher_handle_t cipher,
gcry_err_code_t gcry_err_code_t
grub_crypto_cbc_decrypt (grub_crypto_cipher_handle_t cipher, grub_crypto_cbc_decrypt (grub_crypto_cipher_handle_t cipher,
void *out, void *in, grub_size_t size, void *out, const void *in, grub_size_t size,
void *iv) void *iv)
{ {
grub_uint8_t *inptr, *outptr, *end; const grub_uint8_t *inptr;
grub_uint8_t *outptr, *end;
grub_uint8_t ivt[cipher->cipher->blocksize]; grub_uint8_t ivt[cipher->cipher->blocksize];
if (!cipher->cipher->decrypt) if (!cipher->cipher->decrypt)
return GPG_ERR_NOT_SUPPORTED; return GPG_ERR_NOT_SUPPORTED;
@ -336,7 +345,8 @@ grub_crypto_hmac_init (const struct gcry_md_spec *md,
} }
void void
grub_crypto_hmac_write (struct grub_crypto_hmac_handle *hnd, void *data, grub_crypto_hmac_write (struct grub_crypto_hmac_handle *hnd,
const void *data,
grub_size_t datalen) grub_size_t datalen)
{ {
hnd->md->write (hnd->ctx, data, datalen); hnd->md->write (hnd->ctx, data, datalen);
@ -378,7 +388,7 @@ grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out)
gcry_err_code_t gcry_err_code_t
grub_crypto_hmac_buffer (const struct gcry_md_spec *md, grub_crypto_hmac_buffer (const struct gcry_md_spec *md,
const void *key, grub_size_t keylen, const void *key, grub_size_t keylen,
void *data, grub_size_t datalen, void *out) const void *data, grub_size_t datalen, void *out)
{ {
struct grub_crypto_hmac_handle *hnd; struct grub_crypto_hmac_handle *hnd;
@ -414,10 +424,43 @@ grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
return !!counter; return !!counter;
} }
#ifndef GRUB_MKPASSWD
int int
grub_password_get (char buf[], unsigned buf_size) grub_password_get (char buf[], unsigned buf_size)
{ {
#ifdef GRUB_UTIL
FILE *in;
struct termios s, t;
int tty_changed = 0;
char *ptr;
/* Disable echoing. Based on glibc. */
in = fopen ("/dev/tty", "w+c");
if (in == NULL)
in = stdin;
if (tcgetattr (fileno (in), &t) == 0)
{
/* Save the old one. */
s = t;
/* Tricky, tricky. */
t.c_lflag &= ~(ECHO|ISIG);
tty_changed = (tcsetattr (fileno (in), TCSAFLUSH, &t) == 0);
}
else
tty_changed = 0;
fgets (buf, buf_size, stdin);
ptr = buf + strlen (buf) - 1;
while (buf <= ptr && (*ptr == '\n' || *ptr == '\r'))
*ptr-- = 0;
/* Restore the original setting. */
if (tty_changed)
(void) tcsetattr (fileno (in), TCSAFLUSH, &s);
grub_xputs ("\n");
grub_refresh ();
return 1;
#else
unsigned cur_len = 0; unsigned cur_len = 0;
int key; int key;
@ -452,5 +495,5 @@ grub_password_get (char buf[], unsigned buf_size)
grub_refresh (); grub_refresh ();
return (key != '\e'); return (key != '\e');
}
#endif #endif
}

View file

@ -126,6 +126,9 @@ typedef struct gcry_cipher_spec
gcry_cipher_decrypt_t decrypt; gcry_cipher_decrypt_t decrypt;
gcry_cipher_stencrypt_t stencrypt; gcry_cipher_stencrypt_t stencrypt;
gcry_cipher_stdecrypt_t stdecrypt; gcry_cipher_stdecrypt_t stdecrypt;
#ifdef GRUB_UTIL
const char *modname;
#endif
struct gcry_cipher_spec *next; struct gcry_cipher_spec *next;
} gcry_cipher_spec_t; } gcry_cipher_spec_t;
@ -161,6 +164,9 @@ typedef struct gcry_md_spec
grub_size_t contextsize; /* allocate this amount of context */ grub_size_t contextsize; /* allocate this amount of context */
/* Block size, needed for HMAC. */ /* Block size, needed for HMAC. */
grub_size_t blocksize; grub_size_t blocksize;
#ifdef GRUB_UTIL
const char *modname;
#endif
struct gcry_md_spec *next; struct gcry_md_spec *next;
} gcry_md_spec_t; } gcry_md_spec_t;
@ -193,7 +199,7 @@ grub_crypto_xor (void *out, const void *in1, const void *in2, grub_size_t size);
gcry_err_code_t gcry_err_code_t
grub_crypto_ecb_decrypt (grub_crypto_cipher_handle_t cipher, grub_crypto_ecb_decrypt (grub_crypto_cipher_handle_t cipher,
void *out, void *in, grub_size_t size); void *out, const void *in, grub_size_t size);
gcry_err_code_t gcry_err_code_t
grub_crypto_ecb_encrypt (grub_crypto_cipher_handle_t cipher, grub_crypto_ecb_encrypt (grub_crypto_cipher_handle_t cipher,
@ -204,7 +210,7 @@ grub_crypto_cbc_encrypt (grub_crypto_cipher_handle_t cipher,
void *iv_in); void *iv_in);
gcry_err_code_t gcry_err_code_t
grub_crypto_cbc_decrypt (grub_crypto_cipher_handle_t cipher, grub_crypto_cbc_decrypt (grub_crypto_cipher_handle_t cipher,
void *out, void *in, grub_size_t size, void *out, const void *in, grub_size_t size,
void *iv); void *iv);
void void
grub_cipher_register (gcry_cipher_spec_t *cipher); grub_cipher_register (gcry_cipher_spec_t *cipher);
@ -229,7 +235,8 @@ struct grub_crypto_hmac_handle *
grub_crypto_hmac_init (const struct gcry_md_spec *md, grub_crypto_hmac_init (const struct gcry_md_spec *md,
const void *key, grub_size_t keylen); const void *key, grub_size_t keylen);
void void
grub_crypto_hmac_write (struct grub_crypto_hmac_handle *hnd, void *data, grub_crypto_hmac_write (struct grub_crypto_hmac_handle *hnd,
const void *data,
grub_size_t datalen); grub_size_t datalen);
gcry_err_code_t gcry_err_code_t
grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out); grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out);
@ -237,7 +244,7 @@ grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out);
gcry_err_code_t gcry_err_code_t
grub_crypto_hmac_buffer (const struct gcry_md_spec *md, grub_crypto_hmac_buffer (const struct gcry_md_spec *md,
const void *key, grub_size_t keylen, const void *key, grub_size_t keylen,
void *data, grub_size_t datalen, void *out); const void *data, grub_size_t datalen, void *out);
extern gcry_md_spec_t _gcry_digest_spec_md5; extern gcry_md_spec_t _gcry_digest_spec_md5;
extern gcry_md_spec_t _gcry_digest_spec_sha1; extern gcry_md_spec_t _gcry_digest_spec_sha1;
@ -274,4 +281,10 @@ grub_password_get (char buf[], unsigned buf_size);
extern void (*grub_crypto_autoload_hook) (const char *name); extern void (*grub_crypto_autoload_hook) (const char *name);
#ifdef GRUB_UTIL
void grub_gcry_init_all (void);
void grub_gcry_fini_all (void);
#endif
#endif #endif

147
include/grub/cryptodisk.h Normal file
View file

@ -0,0 +1,147 @@
/*
* GRUB -- GRand Unified Bootloader
* Copyright (C) 2002,2003,2004,2005,2006,2007,2008,2009 Free Software Foundation, Inc.
*
* GRUB is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GRUB is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef GRUB_CRYPTODISK_HEADER
#define GRUB_CRYPTODISK_HEADER 1
#include <grub/disk.h>
#include <grub/crypto.h>
#include <grub/list.h>
typedef enum
{
GRUB_CRYPTODISK_MODE_ECB,
GRUB_CRYPTODISK_MODE_CBC,
GRUB_CRYPTODISK_MODE_PCBC,
GRUB_CRYPTODISK_MODE_XTS,
GRUB_CRYPTODISK_MODE_LRW
} grub_cryptodisk_mode_t;
typedef enum
{
GRUB_CRYPTODISK_MODE_IV_NULL,
GRUB_CRYPTODISK_MODE_IV_PLAIN,
GRUB_CRYPTODISK_MODE_IV_PLAIN64,
GRUB_CRYPTODISK_MODE_IV_ESSIV,
GRUB_CRYPTODISK_MODE_IV_BENBI,
GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64,
GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64_HASH
} grub_cryptodisk_mode_iv_t;
#define GRUB_CRYPTODISK_MAX_UUID_LENGTH 71
#define GRUB_CRYPTODISK_GF_LOG_SIZE 7
#define GRUB_CRYPTODISK_GF_SIZE (1U << GRUB_CRYPTODISK_GF_LOG_SIZE)
#define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)
#define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
struct grub_cryptodisk;
typedef gcry_err_code_t
(*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev,
grub_uint64_t zoneno);
struct grub_cryptodisk
{
struct grub_cryptodisk *next;
char *source;
grub_disk_addr_t offset;
grub_disk_addr_t total_length;
grub_disk_t source_disk;
int ref;
grub_crypto_cipher_handle_t cipher;
grub_crypto_cipher_handle_t secondary_cipher;
grub_crypto_cipher_handle_t essiv_cipher;
const gcry_md_spec_t *essiv_hash, *hash, *iv_hash;
grub_cryptodisk_mode_t mode;
grub_cryptodisk_mode_iv_t mode_iv;
int benbi_log;
unsigned long id, source_id;
enum grub_disk_dev_id source_dev_id;
char uuid[GRUB_CRYPTODISK_MAX_UUID_LENGTH + 1];
grub_uint8_t lrw_key[GRUB_CRYPTODISK_GF_BYTES];
grub_uint8_t *lrw_precalc;
grub_uint8_t iv_prefix[64];
grub_size_t iv_prefix_len;
#ifdef GRUB_UTIL
char *cheat;
const char *modname;
int cheat_fd;
#endif
int log_sector_size;
grub_cryptodisk_rekey_func_t rekey;
int rekey_shift;
grub_uint8_t rekey_key[64];
grub_uint64_t last_rekey;
int rekey_derived_size;
};
typedef struct grub_cryptodisk *grub_cryptodisk_t;
struct grub_cryptodisk_dev
{
struct grub_cryptodisk_dev *next;
grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
int boot_only);
grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
};
typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
extern grub_cryptodisk_dev_t EXPORT_VAR (grub_cryptodisk_list);
#ifndef GRUB_LST_GENERATOR
static inline void
grub_cryptodisk_dev_register (grub_cryptodisk_dev_t cr)
{
grub_list_push (GRUB_AS_LIST_P (&grub_cryptodisk_list), GRUB_AS_LIST (cr));
}
#endif
static inline void
grub_cryptodisk_dev_unregister (grub_cryptodisk_dev_t cr)
{
grub_list_remove (GRUB_AS_LIST_P (&grub_cryptodisk_list), GRUB_AS_LIST (cr));
}
#define FOR_CRYPTODISK_DEVS(var) FOR_LIST_ELEMENTS((var), (grub_cryptodisk_list))
gcry_err_code_t
grub_cryptodisk_setkey (grub_cryptodisk_t dev,
grub_uint8_t *key, grub_size_t keysize);
gcry_err_code_t
grub_cryptodisk_decrypt (struct grub_cryptodisk *dev,
grub_uint8_t * data, grub_size_t len,
grub_disk_addr_t sector);
grub_err_t
grub_cryptodisk_insert (grub_cryptodisk_t newdev, const char *name,
grub_disk_t source);
#ifdef GRUB_UTIL
grub_err_t
grub_cryptodisk_cheat_insert (grub_cryptodisk_t newdev, const char *name,
grub_disk_t source, const char *cheat);
void
grub_util_cryptodisk_print_abstraction (grub_disk_t disk);
char *
grub_util_get_geli_uuid (const char *dev);
#endif
grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
#endif

View file

@ -42,7 +42,7 @@ enum grub_disk_dev_id
GRUB_DISK_DEVICE_PXE_ID, GRUB_DISK_DEVICE_PXE_ID,
GRUB_DISK_DEVICE_SCSI_ID, GRUB_DISK_DEVICE_SCSI_ID,
GRUB_DISK_DEVICE_FILE_ID, GRUB_DISK_DEVICE_FILE_ID,
GRUB_DISK_DEVICE_LUKS_ID, GRUB_DISK_DEVICE_CRYPTODISK_ID,
GRUB_DISK_DEVICE_ARCDISK_ID, GRUB_DISK_DEVICE_ARCDISK_ID,
}; };

View file

@ -25,6 +25,8 @@ enum grub_dev_abstraction_types {
GRUB_DEV_ABSTRACTION_NONE, GRUB_DEV_ABSTRACTION_NONE,
GRUB_DEV_ABSTRACTION_LVM, GRUB_DEV_ABSTRACTION_LVM,
GRUB_DEV_ABSTRACTION_RAID, GRUB_DEV_ABSTRACTION_RAID,
GRUB_DEV_ABSTRACTION_LUKS,
GRUB_DEV_ABSTRACTION_GELI,
}; };
char *grub_find_device (const char *dir, dev_t dev); char *grub_find_device (const char *dir, dev_t dev);
@ -37,5 +39,9 @@ const char *grub_util_check_char_device (const char *blk_dev);
#ifdef __linux__ #ifdef __linux__
char **grub_util_raid_getmembers (const char *name, int bootable); char **grub_util_raid_getmembers (const char *name, int bootable);
#endif #endif
#if defined (__FreeBSD__) || defined(__FreeBSD_kernel__)
void grub_util_follow_gpart_up (const char *name, grub_disk_addr_t *off_out,
char **name_out);
#endif
#endif /* ! GRUB_UTIL_GETROOT_HEADER */ #endif /* ! GRUB_UTIL_GETROOT_HEADER */

View file

@ -21,6 +21,7 @@
#define GRUB_BIOSDISK_MACHINE_UTIL_HEADER 1 #define GRUB_BIOSDISK_MACHINE_UTIL_HEADER 1
#include <grub/disk.h> #include <grub/disk.h>
#include <sys/types.h>
void grub_util_biosdisk_init (const char *dev_map); void grub_util_biosdisk_init (const char *dev_map);
void grub_util_biosdisk_fini (void); void grub_util_biosdisk_fini (void);
@ -30,5 +31,15 @@ int grub_util_biosdisk_is_present (const char *name);
int grub_util_biosdisk_is_floppy (grub_disk_t disk); int grub_util_biosdisk_is_floppy (grub_disk_t disk);
grub_err_t grub_util_biosdisk_flush (struct grub_disk *disk); grub_err_t grub_util_biosdisk_flush (struct grub_disk *disk);
void grub_util_pull_device (const char *osname); void grub_util_pull_device (const char *osname);
grub_err_t
grub_util_fd_seek (int fd, const char *name, grub_uint64_t sector);
ssize_t grub_util_fd_read (int fd, char *buf, size_t len);
grub_err_t
grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat);
void grub_util_cryptodisk_print_uuid (grub_disk_t disk);
#if !defined(__MINGW32__)
grub_uint64_t
grub_util_get_fd_sectors (int fd, unsigned *log_secsize);
#endif
#endif /* ! GRUB_BIOSDISK_MACHINE_UTIL_HEADER */ #endif /* ! GRUB_BIOSDISK_MACHINE_UTIL_HEADER */

View file

@ -299,6 +299,7 @@ static char **images = NULL;
static int cmd = 0; static int cmd = 0;
static char *debug_str = NULL; static char *debug_str = NULL;
static char **args = NULL; static char **args = NULL;
static int mount_crypt = 0;
static void static void
fstest (int n, char **args) fstest (int n, char **args)
@ -328,6 +329,15 @@ fstest (int n, char **args)
grub_free (host_file); grub_free (host_file);
} }
{
char *argv[2] = { "-a", NULL};
if (mount_crypt)
{
if (execute_command ("cryptomount", 1, argv))
grub_util_error (_("cryptomount command fails: %s"), grub_errmsg);
}
}
grub_lvm_fini (); grub_lvm_fini ();
grub_mdraid09_fini (); grub_mdraid09_fini ();
grub_mdraid1x_fini (); grub_mdraid1x_fini ();
@ -397,6 +407,7 @@ static struct argp_option options[] = {
{"length", 'n', "N", 0, N_("Handle N bytes in output file."), 2}, {"length", 'n', "N", 0, N_("Handle N bytes in output file."), 2},
{"diskcount", 'c', "N", 0, N_("N input files."), 2}, {"diskcount", 'c', "N", 0, N_("N input files."), 2},
{"debug", 'd', "S", 0, N_("Set debug environment variable."), 2}, {"debug", 'd', "S", 0, N_("Set debug environment variable."), 2},
{"crypto", 'C', NULL, OPTION_ARG_OPTIONAL, N_("Mount crypto devices."), 2},
{"verbose", 'v', NULL, OPTION_ARG_OPTIONAL, N_("Print verbose messages."), 2}, {"verbose", 'v', NULL, OPTION_ARG_OPTIONAL, N_("Print verbose messages."), 2},
{0, 0, 0, 0, 0, 0} {0, 0, 0, 0, 0, 0}
}; };
@ -420,6 +431,10 @@ argp_parser (int key, char *arg, struct argp_state *state)
root = arg; root = arg;
return 0; return 0;
case 'C':
mount_crypt = 1;
return 0;
case 's': case 's':
skip = grub_strtoul (arg, &p, 0); skip = grub_strtoul (arg, &p, 0);
if (*p == 's') if (*p == 's')
@ -564,6 +579,7 @@ main (int argc, char *argv[])
/* Initialize all modules. */ /* Initialize all modules. */
grub_init_all (); grub_init_all ();
grub_gcry_init_all ();
if (debug_str) if (debug_str)
grub_env_set ("debug", debug_str); grub_env_set ("debug", debug_str);
@ -592,6 +608,7 @@ main (int argc, char *argv[])
fstest (args_count - 1 - num_disks, args); fstest (args_count - 1 - num_disks, args);
/* Free resources. */ /* Free resources. */
grub_gcry_fini_all ();
grub_fini_all (); grub_fini_all ();
return 0; return 0;

View file

@ -456,6 +456,8 @@ for dir in "${localedir}"/*; do
fi fi
done done
is_path_readable_by_grub "${grubdir}" || (echo "${grubdir}" not readable 1>&2 ; exit 1)
# Write device to a variable so we don't have to traverse /dev every time. # Write device to a variable so we don't have to traverse /dev every time.
grub_device="`"$grub_probe" --device-map="${device_map}" --target=device "${grubdir}"`" || exit 1 grub_device="`"$grub_probe" --device-map="${device_map}" --target=device "${grubdir}"`" || exit 1
@ -544,6 +546,12 @@ if [ "x${devabstraction_module}" = "x" ] ; then
exit 1 exit 1
fi fi
if [ x$GRUB_CRYPTODISK_ENABLE = xy ]; then
for uuid in "`"${grub_probe}" --device "${device}" --target=cryptodisk_uuid`"; do
echo "cryptomount -u $uuid"
done
fi
echo "search.fs_uuid ${uuid} root " >> "${grubdir}/load.cfg" echo "search.fs_uuid ${uuid} root " >> "${grubdir}/load.cfg"
echo 'set prefix=($root)'"${relative_grubdir}" >> "${grubdir}/load.cfg" echo 'set prefix=($root)'"${relative_grubdir}" >> "${grubdir}/load.cfg"
config_opt="-c ${grubdir}/load.cfg " config_opt="-c ${grubdir}/load.cfg "

View file

@ -256,6 +256,7 @@ export GRUB_DEFAULT \
GRUB_DISABLE_OS_PROBER \ GRUB_DISABLE_OS_PROBER \
GRUB_INIT_TUNE \ GRUB_INIT_TUNE \
GRUB_SAVEDEFAULT \ GRUB_SAVEDEFAULT \
GRUB_ENABLE_CRYPTODISK \
GRUB_BADRAM GRUB_BADRAM
if test "x${grub_cfg}" != "x"; then if test "x${grub_cfg}" != "x"; then

View file

@ -63,10 +63,22 @@ is_path_readable_by_grub ()
# ... or if we can't figure out the abstraction module, for example if # ... or if we can't figure out the abstraction module, for example if
# memberlist fails on an LVM volume group. # memberlist fails on an LVM volume group.
if "${grub_probe}" -t abstraction "$path" > /dev/null 2>&1 ; then : ; else if abstractions="`"${grub_probe}" -t abstraction "$path"`" 2>&1 ; then
:
else
return 1 return 1
fi fi
if [ x$GRUB_CRYPTODISK_ENABLE = xy ]; then
return 0
fi
for abstraction in $abstractions; do
if [ "x$abstraction" = xcryptodisk ]; then
return 1
fi
done
return 0 return 0
} }
@ -126,6 +138,12 @@ prepare_grub_to_access_device ()
echo "insmod ${module}" echo "insmod ${module}"
done done
if [ x$GRUB_CRYPTODISK_ENABLE = xy ]; then
for uuid in "`"${grub_probe}" --device "${device}" --target=cryptodisk_uuid`"; do
echo "cryptomount -u $uuid"
done
fi
# If there's a filesystem UUID that GRUB is capable of identifying, use it; # If there's a filesystem UUID that GRUB is capable of identifying, use it;
# otherwise set root as per value in device.map. # otherwise set root as per value in device.map.
echo "set root='`"${grub_probe}" --device "${device}" --target=drive`'" echo "set root='`"${grub_probe}" --device "${device}" --target=drive`'"

View file

@ -20,6 +20,7 @@
#include <grub/types.h> #include <grub/types.h>
#include <grub/crypto.h> #include <grub/crypto.h>
#include <grub/auth.h>
#include <grub/emu/misc.h> #include <grub/emu/misc.h>
#include <grub/util/misc.h> #include <grub/util/misc.h>
#include <grub/i18n.h> #include <grub/i18n.h>
@ -29,7 +30,6 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <getopt.h> #include <getopt.h>
#include <termios.h>
#include "progname.h" #include "progname.h"
@ -85,14 +85,12 @@ int
main (int argc, char *argv[]) main (int argc, char *argv[])
{ {
unsigned int count = 10000, buflen = 64, saltlen = 64; unsigned int count = 10000, buflen = 64, saltlen = 64;
char *pass1, *pass2;
char *bufhex, *salthex; char *bufhex, *salthex;
gcry_err_code_t gcry_err; gcry_err_code_t gcry_err;
grub_uint8_t *buf, *salt; grub_uint8_t *buf, *salt;
ssize_t nr; ssize_t nr;
FILE *in, *out; char pass1[GRUB_AUTH_MAX_PASSLEN];
struct termios s, t; char pass2[GRUB_AUTH_MAX_PASSLEN];
int tty_changed;
set_program_name (argv[0]); set_program_name (argv[0]);
@ -161,85 +159,36 @@ main (int argc, char *argv[])
grub_util_error ("out of memory"); grub_util_error ("out of memory");
} }
/* Disable echoing. Based on glibc. */
in = fopen ("/dev/tty", "w+c");
if (in == NULL)
{
in = stdin;
out = stderr;
}
else
out = in;
if (tcgetattr (fileno (in), &t) == 0)
{
/* Save the old one. */
s = t;
/* Tricky, tricky. */
t.c_lflag &= ~(ECHO|ISIG);
tty_changed = (tcsetattr (fileno (in), TCSAFLUSH, &t) == 0);
}
else
tty_changed = 0;
printf ("Enter password: "); printf ("Enter password: ");
pass1 = NULL; if (!grub_password_get (pass1, GRUB_AUTH_MAX_PASSLEN))
{
grub_size_t n;
nr = getline (&pass1, &n, stdin);
}
if (nr < 0 || !pass1)
{ {
free (buf); free (buf);
free (bufhex); free (bufhex);
free (salthex); free (salthex);
free (salt); free (salt);
/* Restore the original setting. */
if (tty_changed)
(void) tcsetattr (fileno (in), TCSAFLUSH, &s);
grub_util_error ("failure to read password"); grub_util_error ("failure to read password");
} }
if (nr >= 1 && pass1[nr-1] == '\n')
pass1[nr-1] = 0;
printf ("\nReenter password: "); printf ("\nReenter password: ");
pass2 = NULL; if (!grub_password_get (pass2, GRUB_AUTH_MAX_PASSLEN))
{ {
grub_size_t n;
nr = getline (&pass2, &n, stdin);
}
/* Restore the original setting. */
if (tty_changed)
(void) tcsetattr (fileno (in), TCSAFLUSH, &s);
printf ("\n");
if (nr < 0 || !pass2)
{
memset (pass1, 0, strlen (pass1));
free (pass1);
free (buf); free (buf);
free (bufhex); free (bufhex);
free (salthex); free (salthex);
free (salt); free (salt);
grub_util_error ("failure to read password"); grub_util_error ("failure to read password");
} }
if (nr >= 1 && pass2[nr-1] == '\n')
pass2[nr-1] = 0;
if (strcmp (pass1, pass2) != 0) if (strcmp (pass1, pass2) != 0)
{ {
memset (pass1, 0, strlen (pass1)); memset (pass1, 0, sizeof (pass1));
memset (pass2, 0, strlen (pass2)); memset (pass2, 0, sizeof (pass2));
free (pass1);
free (pass2);
free (buf); free (buf);
free (bufhex); free (bufhex);
free (salthex); free (salthex);
free (salt); free (salt);
grub_util_error ("passwords don't match"); grub_util_error ("passwords don't match");
} }
memset (pass2, 0, strlen (pass2)); memset (pass2, 0, sizeof (pass2));
free (pass2);
#if ! defined (__linux__) && ! defined (__FreeBSD__) #if ! defined (__linux__) && ! defined (__FreeBSD__)
printf ("WARNING: your random generator isn't known to be secure\n"); printf ("WARNING: your random generator isn't known to be secure\n");
@ -251,8 +200,7 @@ main (int argc, char *argv[])
f = fopen ("/dev/urandom", "rb"); f = fopen ("/dev/urandom", "rb");
if (!f) if (!f)
{ {
memset (pass1, 0, strlen (pass1)); memset (pass1, 0, sizeof (pass1));
free (pass1);
free (buf); free (buf);
free (bufhex); free (bufhex);
free (salthex); free (salthex);
@ -264,8 +212,7 @@ main (int argc, char *argv[])
if (rd != saltlen) if (rd != saltlen)
{ {
fclose (f); fclose (f);
memset (pass1, 0, strlen (pass1)); memset (pass1, 0, sizeof (pass1));
free (pass1);
free (buf); free (buf);
free (bufhex); free (bufhex);
free (salthex); free (salthex);
@ -279,8 +226,7 @@ main (int argc, char *argv[])
(grub_uint8_t *) pass1, strlen (pass1), (grub_uint8_t *) pass1, strlen (pass1),
salt, saltlen, salt, saltlen,
count, buf, buflen); count, buf, buflen);
memset (pass1, 0, strlen (pass1)); memset (pass1, 0, sizeof (pass1));
free (pass1);
if (gcry_err) if (gcry_err)
{ {

View file

@ -34,6 +34,8 @@
#include <grub/env.h> #include <grub/env.h>
#include <grub/raid.h> #include <grub/raid.h>
#include <grub/i18n.h> #include <grub/i18n.h>
#include <grub/crypto.h>
#include <grub/cryptodisk.h>
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
@ -54,6 +56,7 @@ enum {
PRINT_DEVICE, PRINT_DEVICE,
PRINT_PARTMAP, PRINT_PARTMAP,
PRINT_ABSTRACTION, PRINT_ABSTRACTION,
PRINT_CRYPTODISK_UUID
}; };
int print = PRINT_FS; int print = PRINT_FS;
@ -63,15 +66,49 @@ static void
probe_partmap (grub_disk_t disk) probe_partmap (grub_disk_t disk)
{ {
grub_partition_t part; grub_partition_t part;
grub_disk_memberlist_t list = NULL, tmp;
if (disk->partition == NULL) if (disk->partition == NULL)
{ {
grub_util_info ("no partition map found for %s", disk->name); grub_util_info ("no partition map found for %s", disk->name);
return;
} }
for (part = disk->partition; part; part = part->parent) for (part = disk->partition; part; part = part->parent)
printf ("%s\n", part->partmap->name); printf ("%s ", part->partmap->name);
/* In case of LVM/RAID, check the member devices as well. */
if (disk->dev->memberlist)
{
list = disk->dev->memberlist (disk);
}
while (list)
{
probe_partmap (list->disk);
tmp = list->next;
free (list);
list = tmp;
}
}
static void
probe_cryptodisk_uuid (grub_disk_t disk)
{
grub_disk_memberlist_t list = NULL, tmp;
/* In case of LVM/RAID, check the member devices as well. */
if (disk->dev->memberlist)
{
list = disk->dev->memberlist (disk);
}
while (list)
{
probe_cryptodisk_uuid (list->disk);
tmp = list->next;
free (list);
list = tmp;
}
if (disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
grub_util_cryptodisk_print_uuid (disk);
} }
static int static int
@ -88,6 +125,42 @@ probe_raid_level (grub_disk_t disk)
return ((struct grub_raid_array *) disk->data)->level; return ((struct grub_raid_array *) disk->data)->level;
} }
static void
probe_abstraction (grub_disk_t disk)
{
grub_disk_memberlist_t list = NULL, tmp;
int raid_level;
if (disk->dev->memberlist)
list = disk->dev->memberlist (disk);
while (list)
{
probe_abstraction (list->disk);
tmp = list->next;
free (list);
list = tmp;
}
if (disk->dev->id == GRUB_DISK_DEVICE_LVM_ID)
printf ("lvm ");
if (disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
grub_util_cryptodisk_print_abstraction (disk);
raid_level = probe_raid_level (disk);
if (raid_level >= 0)
{
printf ("raid ");
if (disk->dev->raidname)
printf ("%s ", disk->dev->raidname (disk));
}
if (raid_level == 5)
printf ("raid5rec ");
if (raid_level == 6)
printf ("raid6rec ");
}
static void static void
probe (const char *path, char *device_name) probe (const char *path, char *device_name)
{ {
@ -136,91 +209,23 @@ probe (const char *path, char *device_name)
if (print == PRINT_ABSTRACTION) if (print == PRINT_ABSTRACTION)
{ {
grub_disk_memberlist_t list = NULL, tmp; probe_abstraction (dev->disk);
const int is_lvm = (dev->disk->dev->id == GRUB_DISK_DEVICE_LVM_ID);
int is_raid = 0;
int is_raid5 = 0;
int is_raid6 = 0;
int raid_level;
grub_disk_t raid_disk;
raid_level = probe_raid_level (dev->disk);
if (raid_level >= 0)
{
is_raid = 1;
is_raid5 |= (raid_level == 5);
is_raid6 |= (raid_level == 6);
raid_disk = dev->disk;
}
if ((is_lvm) && (dev->disk->dev->memberlist))
list = dev->disk->dev->memberlist (dev->disk);
while (list)
{
raid_level = probe_raid_level (list->disk);
if (raid_level >= 0)
{
is_raid = 1;
is_raid5 |= (raid_level == 5);
is_raid6 |= (raid_level == 6);
raid_disk = list->disk;
}
tmp = list->next;
free (list);
list = tmp;
}
if (is_raid)
{
printf ("raid ");
if (is_raid5)
printf ("raid5rec ");
if (is_raid6)
printf ("raid6rec ");
if (raid_disk->dev->raidname)
printf ("%s ", raid_disk->dev->raidname (raid_disk));
}
if (is_lvm)
printf ("lvm ");
printf ("\n"); printf ("\n");
goto end;
}
if (print == PRINT_CRYPTODISK_UUID)
{
probe_cryptodisk_uuid (dev->disk);
printf ("\n");
goto end; goto end;
} }
if (print == PRINT_PARTMAP) if (print == PRINT_PARTMAP)
{ {
grub_disk_memberlist_t list = NULL, tmp;
/* Check if dev->disk itself is contained in a partmap. */ /* Check if dev->disk itself is contained in a partmap. */
probe_partmap (dev->disk); probe_partmap (dev->disk);
printf ("\n");
/* In case of LVM/RAID, check the member devices as well. */
if (dev->disk->dev->memberlist)
list = dev->disk->dev->memberlist (dev->disk);
while (list)
{
probe_partmap (list->disk);
/* LVM on RAID */
if (list->disk->dev->memberlist)
{
grub_disk_memberlist_t sub_list;
sub_list = list->disk->dev->memberlist (list->disk);
while (sub_list)
{
probe_partmap (sub_list->disk);
tmp = sub_list->next;
free (sub_list);
sub_list = tmp;
}
}
tmp = list->next;
free (list);
list = tmp;
}
goto end; goto end;
} }
@ -289,8 +294,8 @@ Probe device information for a given path (or device, if the -d option is given)
\n\ \n\
-d, --device given argument is a system device, not a path\n\ -d, --device given argument is a system device, not a path\n\
-m, --device-map=FILE use FILE as the device map [default=%s]\n\ -m, --device-map=FILE use FILE as the device map [default=%s]\n\
-t, --target=(fs|fs_uuid|fs_label|drive|device|partmap|abstraction)\n\ -t, --target=(fs|fs_uuid|fs_label|drive|device|partmap|abstraction|cryptodisk_uuid)\n\
print filesystem module, GRUB drive, system device, partition map module or abstraction module [default=fs]\n\ print filesystem module, GRUB drive, system device, partition map module, abstraction module or CRYPTO UUID [default=fs]\n\
-h, --help display this message and exit\n\ -h, --help display this message and exit\n\
-V, --version print version information and exit\n\ -V, --version print version information and exit\n\
-v, --verbose print verbose messages\n\ -v, --verbose print verbose messages\n\
@ -348,6 +353,8 @@ main (int argc, char *argv[])
print = PRINT_PARTMAP; print = PRINT_PARTMAP;
else if (!strcmp (optarg, "abstraction")) else if (!strcmp (optarg, "abstraction"))
print = PRINT_ABSTRACTION; print = PRINT_ABSTRACTION;
else if (!strcmp (optarg, "cryptodisk_uuid"))
print = PRINT_CRYPTODISK_UUID;
else else
usage (1); usage (1);
break; break;
@ -393,6 +400,7 @@ main (int argc, char *argv[])
/* Initialize all modules. */ /* Initialize all modules. */
grub_init_all (); grub_init_all ();
grub_gcry_init_all ();
grub_lvm_fini (); grub_lvm_fini ();
grub_mdraid09_fini (); grub_mdraid09_fini ();
@ -410,6 +418,7 @@ main (int argc, char *argv[])
probe (argument, NULL); probe (argument, NULL);
/* Free resources. */ /* Free resources. */
grub_gcry_fini_all ();
grub_fini_all (); grub_fini_all ();
grub_util_biosdisk_fini (); grub_util_biosdisk_fini ();

View file

@ -42,7 +42,15 @@ except:
cipher_files = os.listdir (cipher_dir_in) cipher_files = os.listdir (cipher_dir_in)
conf = open (os.path.join ("grub-core", "Makefile.gcry.def"), "w") conf = open (os.path.join ("grub-core", "Makefile.gcry.def"), "w")
conf.write ("AutoGen definitions Makefile.tpl;\n\n") conf.write ("AutoGen definitions Makefile.tpl;\n\n")
confutil = open ("Makefile.utilgcry.def", "w")
confutil.write ("AutoGen definitions Makefile.tpl;\n\n")
confutil.write ("library = {\n");
confutil.write (" name = libgrubgcry.a;\n");
confutil.write (" cflags = '$(CFLAGS_GCRY)';\n");
confutil.write (" cppflags = '$(CPPFLAGS_GCRY)';\n");
confutil.write ("\n");
chlog = "" chlog = ""
modules = []
# Strictly speaking CRC32/CRC24 work on bytes so this value should be 1 # Strictly speaking CRC32/CRC24 work on bytes so this value should be 1
# But libgcrypt uses 64. Let's keep the value for compatibility. Since # But libgcrypt uses 64. Let's keep the value for compatibility. Since
@ -103,6 +111,7 @@ for cipher_file in cipher_files:
skip = False skip = False
skip2 = False skip2 = False
ismd = False ismd = False
iscipher = False
iscryptostart = False iscryptostart = False
iscomma = False iscomma = False
isglue = False isglue = False
@ -132,15 +141,22 @@ for cipher_file in cipher_files:
sg = s.groups()[0] sg = s.groups()[0]
cryptolist.write (("%s: %s\n") % (sg, modname)) cryptolist.write (("%s: %s\n") % (sg, modname))
iscryptostart = False iscryptostart = False
if ismd: if ismd or iscipher:
if not re.search (" *};", line) is None: if not re.search (" *};", line) is None:
if not mdblocksizes.has_key (mdname):
print ("ERROR: Unknown digest blocksize: %s\n" % mdname)
exit (1)
if not iscomma: if not iscomma:
fw.write (" ,\n") fw.write (" ,\n")
fw.write (" .blocksize = %s\n" % mdblocksizes [mdname]) fw.write ("#ifdef GRUB_UTIL\n");
fw.write (" .modname = \"%s\",\n" % modname);
fw.write ("#endif\n");
if ismd:
if not mdblocksizes.has_key (mdname):
print ("ERROR: Unknown digest blocksize: %s\n"
% mdname)
exit (1)
fw.write (" .blocksize = %s\n"
% mdblocksizes [mdname])
ismd = False ismd = False
iscipher = False
iscomma = not re.search (",$", line) is None iscomma = not re.search (",$", line) is None
# Used only for selftests. # Used only for selftests.
m = re.match ("(static byte|static unsigned char) (weak_keys_chksum)\[[0-9]*\] =", line) m = re.match ("(static byte|static unsigned char) (weak_keys_chksum)\[[0-9]*\] =", line)
@ -181,14 +197,18 @@ for cipher_file in cipher_files:
continue continue
m = re.match ("gcry_cipher_spec_t", line) m = re.match ("gcry_cipher_spec_t", line)
if isc and not m is None: if isc and not m is None:
assert (not iscryptostart)
assert (not iscipher)
assert (not iscryptostart) assert (not iscryptostart)
ciphername = line [len ("gcry_cipher_spec_t"):].strip () ciphername = line [len ("gcry_cipher_spec_t"):].strip ()
ciphername = re.match("[a-zA-Z0-9_]*",ciphername).group () ciphername = re.match("[a-zA-Z0-9_]*",ciphername).group ()
ciphernames.append (ciphername) ciphernames.append (ciphername)
iscipher = True
iscryptostart = True iscryptostart = True
m = re.match ("gcry_md_spec_t", line) m = re.match ("gcry_md_spec_t", line)
if isc and not m is None: if isc and not m is None:
assert (not ismd) assert (not ismd)
assert (not iscipher)
assert (not iscryptostart) assert (not iscryptostart)
mdname = line [len ("gcry_md_spec_t"):].strip () mdname = line [len ("gcry_md_spec_t"):].strip ()
mdname = re.match("[a-zA-Z0-9_]*",mdname).group () mdname = re.match("[a-zA-Z0-9_]*",mdname).group ()
@ -249,6 +269,7 @@ for cipher_file in cipher_files:
% (cipher_file, cipher_file.replace ("-glue.c", ".c")) % (cipher_file, cipher_file.replace ("-glue.c", ".c"))
else: else:
modfiles = "lib/libgcrypt-grub/cipher/%s" % cipher_file modfiles = "lib/libgcrypt-grub/cipher/%s" % cipher_file
modules.append (modname)
chmsg = "(GRUB_MOD_INIT(%s)): New function\n" % modname chmsg = "(GRUB_MOD_INIT(%s)): New function\n" % modname
if nch: if nch:
chlognew = "%s\n %s" % (chlognew, chmsg) chlognew = "%s\n %s" % (chlognew, chmsg)
@ -283,6 +304,7 @@ for cipher_file in cipher_files:
conf.write (" name = %s;\n" % modname) conf.write (" name = %s;\n" % modname)
for src in modfiles.split(): for src in modfiles.split():
conf.write (" common = %s;\n" % src) conf.write (" common = %s;\n" % src)
confutil.write (" common = grub-core/%s;\n" % src)
conf.write (" cflags = '$(CFLAGS_GCRY)';\n"); conf.write (" cflags = '$(CFLAGS_GCRY)';\n");
conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n"); conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n");
conf.write ("};\n\n") conf.write ("};\n\n")
@ -329,6 +351,32 @@ fw.close ()
infile = os.path.join (cipher_dir_in, "ChangeLog") infile = os.path.join (cipher_dir_in, "ChangeLog")
outfile = os.path.join (cipher_dir_out, "ChangeLog") outfile = os.path.join (cipher_dir_out, "ChangeLog")
conf.close ();
initfile = open (os.path.join (cipher_dir_out, "init.c"), "w")
for module in modules:
initfile.write ("extern void grub_%s_init (void);\n" % module)
initfile.write ("extern void grub_%s_fini (void);\n" % module)
initfile.write ("\n")
initfile.write ("void\n")
initfile.write ("grub_gcry_init_all (void)\n")
initfile.write ("{\n")
for module in modules:
initfile.write (" grub_%s_init ();\n" % module)
initfile.write ("}\n")
initfile.write ("\n")
initfile.write ("void\n")
initfile.write ("grub_gcry_fini_all (void)\n")
initfile.write ("{\n")
for module in modules:
initfile.write (" grub_%s_fini ();\n" % module)
initfile.write ("}\n")
initfile.close ()
confutil.write (" common = grub-core/lib/libgcrypt-grub/cipher/init.c;\n")
confutil.write ("};\n");
confutil.close ();
f=open (infile, "r") f=open (infile, "r")
fw=open (outfile, "w") fw=open (outfile, "w")