Commit Graph

16 Commits

Author SHA1 Message Date
Glenn Washburn
cf3a3acff0 cryptodisk: Properly handle non-512 byte sized sectors
By default, dm-crypt internally uses an IV that corresponds to 512-byte
sectors, even when a larger sector size is specified. What this means is
that when using a larger sector size, the IV is incremented every sector.
However, the amount the IV is incremented is the number of 512 byte blocks
in a sector (i.e. 8 for 4K sectors). Confusingly the IV does not correspond
to the number of, for example, 4K sectors. So each 512 byte cipher block in
a sector will be encrypted with the same IV and the IV will be incremented
afterwards by the number of 512 byte cipher blocks in the sector.

There are some encryption utilities which do it the intuitive way and have
the IV equal to the sector number regardless of sector size (ie. the fifth
sector would have an IV of 4 for each cipher block). And this is supported
by dm-crypt with the iv_large_sectors option and also cryptsetup as of 2.3.3
with the --iv-large-sectors, though not with LUKS headers (only with --type
plain). However, support for this has not been included as grub does not
support plain devices right now.

One gotcha here is that the encrypted split keys are encrypted with a hard-
coded 512-byte sector size. So even if your data is encrypted with 4K sector
sizes, the split key encrypted area must be decrypted with a block size of
512 (ie the IV increments every 512 bytes). This made these changes less
aesthetically pleasing than desired.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-12-12 01:19:05 +01:00
Glenn Washburn
d78ce33e60 cryptodisk: Rename "offset" in grub_cryptodisk_t to "offset_sectors"
This makes it clear that the offset represents sectors, not bytes, in
order to improve readability.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Patrick Steinhardt <ps@pks.im>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-11-20 15:33:41 +01:00
Glenn Washburn
535998c2e0 cryptodisk: Rename "total_length" field in grub_cryptodisk_t to "total_sectors"
This creates an alignment with grub_disk_t naming of the same field and is
more intuitive as to how it should be used.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Patrick Steinhardt <ps@pks.im>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-11-20 15:33:41 +01:00
Patrick Steinhardt
dd3f49b106 luks: Move configuration of ciphers into cryptodisk
The luks module contains quite a lot of logic to parse cipher and
cipher-mode strings like aes-xts-plain64 into constants to apply them
to the grub_cryptodisk_t structure. This code will be required by the
upcoming luks2 module, as well, which is why this commit moves it into
its own function grub_cryptodisk_setcipher in the cryptodisk module.
While the strings are probably rather specific to the LUKS modules, it
certainly does make sense that the cryptodisk module houses code to set
up its own internal ciphers instead of hosting that code in the luks
module.

Except for necessary adjustments around error handling, this commit does
an exact move of the cipher configuration logic from luks.c to
cryptodisk.c. Any behavior changes are unintentional.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-01-10 14:29:37 +01:00
grub-devel@iam.tj
c7f93a20c4 cryptodisk: teach grub_cryptodisk_insert() about partitions (bug #45889)
It is not possible to configure encrypted containers on multiple partitions of
the same disk; after the first one all subsequent fail with

disk/cryptodisk.c:978: already mounted as crypto0

Store partition offset in cryptomount descriptor to distinguish between them.
2015-11-07 18:52:59 +03:00
Colin Watson
24024dac7f Fix partmap, cryptodisk, and abstraction handling in grub-mkconfig.
Commit 588744d0dc caused grub-mkconfig
no longer to be forgiving of trailing spaces on grub-probe output
lines, which among other things means that util/grub.d/10_linux.in
no longer detects LVM.  To fix this, make grub-probe's output
delimiting more consistent.  As a bonus, this improves the coverage
of the -0 option.

Fixes Debian bug #735935.

* grub-core/disk/cryptodisk.c
(grub_util_cryptodisk_get_abstraction): Add a user-data argument.
* grub-core/disk/diskfilter.c (grub_diskfilter_get_partmap):
Likewise.
* include/grub/cryptodisk.h (grub_util_cryptodisk_get_abstraction):
Update prototype.
* include/grub/diskfilter.h (grub_diskfilter_get_partmap): Likewise.
* util/grub-install.c (push_partmap_module, push_cryptodisk_module,
probe_mods): Adjust for extra user-data arguments.
* util/grub-probe.c (do_print, probe_partmap, probe_cryptodisk_uuid,
probe_abstraction): Use configured delimiter.  Update callers.
2014-03-31 14:48:46 +01:00
Vladimir 'phcoder' Serbinenko
bf25f87931 Make cryptodisk and diskfilter probe data retrievable programmatically
and not just printable.
2013-10-04 01:43:47 +02:00
Vladimir 'phcoder' Serbinenko
a47a78be88 * include/grub/cryptodisk.h (grub_cryptodisk): Use grub_util_fd_t
for cheat_fd.
	* grub-core/disk/cryptodisk.c (grub_cryptodisk_open): Use grub_util_*
	functions.
	(grub_cryptodisk_cheat_insert): Likewise.
	(grub_cryptodisk_close): Likewise.
2013-09-23 11:58:19 +02:00
Vladimir 'phcoder' Serbinenko
ce50dbd746 Add new 'proc' filesystem framework and put luks_script into it. 2013-03-24 13:05:59 +01:00
Vladimir 'phcoder' Serbinenko
87edb8940a Replace single-linked with double-linked lists. It results in more
compact and more efficient code.

	* grub-core/kern/list.c (grub_list_push): Moved from here ...
	* include/grub/list.h (grub_list_push): ... to here. Set prev.
	(grub_list_remove): Moved from here ...
	* include/grub/list.h (grub_list_remove): ... here. Use and set prev.
	(grub_prio_list_insert): Set prev.
	* include/grub/list.h (grub_list): Add prev. All users updated.
2012-01-24 13:31:12 +01:00
Vladimir 'phcoder' Serbinenko
20a409405b Integrate geli into autoconfiguration system 2011-04-25 14:52:07 +02:00
Vladimir 'phcoder' Serbinenko
23432f6542 support UUID for geli 2011-04-24 21:11:14 +02:00
Vladimir 'phcoder' Serbinenko
171e2be183 geli xts support 2011-04-24 17:41:50 +02:00
Vladimir 'phcoder' Serbinenko
88ac3146d6 geli v5 (including rekeying support) 2011-04-24 17:15:55 +02:00
Vladimir 'phcoder' Serbinenko
3e90811d88 support non-512B sectors for geli 2011-04-24 14:59:38 +02:00
Vladimir 'phcoder' Serbinenko
1a1f408f20 geli support 2011-04-24 00:00:29 +02:00