Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:BenniBrunner:branches:home:okir:FDE
grub2
0001-cryptodisk-add-luks_recover_key-attempts-o...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-cryptodisk-add-luks_recover_key-attempts-option.patch of Package grub2
From 7a2b845f421d8605e139b2a7e41c2d7722c969c3 Mon Sep 17 00:00:00 2001 From: "Jason J. Kushmaul" <address@hidden> Date: Sat, 20 Jul 2019 17:03:01 -0400 Subject: [PATCH] cryptodisk: add luks_recover_key attempts option Those with motor impairments have a barrier preventing them from enjoying LUKS full disk encryption with strong passphrases due to no retry behavior. This patch adds an accessibility configuration where one may configure an arbitrary number of attempts via the "-t" option. Existing users will observe the original behavior with a default of 1 attempt. Signed-off-by: Jason J. Kushmaul <address@hidden> --- docs/grub.texi | 9 ++++++-- grub-core/disk/cryptodisk.c | 15 ++++++++++-- grub-core/disk/luks.c | 39 ++++++++++++++++++++++++++------ grub-core/osdep/aros/config.c | 4 ++++ grub-core/osdep/unix/config.c | 9 ++++++-- grub-core/osdep/windows/config.c | 4 ++++ include/grub/emu/config.h | 1 + util/config.c | 18 +++++++++++++++ util/grub-install.c | 12 +++++----- 9 files changed, 92 insertions(+), 19 deletions(-) Index: grub-2.06/docs/grub.texi =================================================================== --- grub-2.06.orig/docs/grub.texi +++ grub-2.06/docs/grub.texi @@ -1549,6 +1549,10 @@ check for encrypted disks and generate a them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container. +@item GRUB_CRYPTODISK_ATTEMPTS +If not present or zero the default is 1. Currently only LUKS +cryptodisks support that option. + @item GRUB_INIT_TUNE Play a tune on the speaker when GRUB starts. This is particularly useful for users unable to see the screen. The value of this option is passed @@ -4310,14 +4314,14 @@ Alias for @code{hashsum --hash crc32 arg @node cryptomount @subsection cryptomount -@deffn Command cryptomount [@option{-p} password] device|@option{-u} uuid|@option{-a}|@option{-b} +@deffn Command cryptomount [@option{-t} tries] device]|[@option{-p} password] device|@option{-u} uuid|@option{-a}|@option{-b} Setup access to encrypted device. If @option{-p} is not given, a passphrase is requested interactively. Otherwise, the given @var{password} will be used and no passphrase will be requested interactively. Option @var{device} configures specific grub device (@pxref{Naming convention}); option @option{-u} @var{uuid} configures device with specified @var{uuid}; option @option{-a} configures all detected encrypted -devices; option @option{-b} configures all geli containers that have boot flag set. +devices; option @option{-b} configures all geli containers that have boot flag set; option @option{-t}, LUKS only, configures passphrase retry attempts, defaulting to 1.. GRUB suports devices encrypted using LUKS, LUKS2 and geli. Note that necessary modules (@var{luks}, @var{luks2} and @var{geli}) have to be loaded manually Index: grub-2.06/grub-core/disk/cryptodisk.c =================================================================== --- grub-2.06.orig/grub-core/disk/cryptodisk.c +++ grub-2.06/grub-core/disk/cryptodisk.c @@ -36,6 +36,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); +unsigned long max_attempts; grub_cryptodisk_dev_t grub_cryptodisk_list; static const struct grub_arg_option options[] = @@ -47,6 +48,7 @@ static const struct grub_arg_option opti {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING}, {"protector", 'k', GRUB_ARG_OPTION_REPEATABLE, N_("Unlock volume(s) using key protector(s)."), 0, ARG_TYPE_STRING}, + {"tries", 't', 0, N_("Max passphrase attempts."), 0, (enum grub_arg_type)GRUB_KEY_ARG}, {0, 0, 0, 0, 0, 0} }; @@ -1295,6 +1297,15 @@ grub_cmd_cryptomount (grub_extcmd_contex cargs.protectors = state[4].args; } + /* Default to original behavior of 1 attempt */ + max_attempts = 1; + if (state[5].set) /* tries */ + { + if (state[5].arg) + max_attempts = grub_strtoul (state[5].arg, NULL, 10); + } + max_attempts = max_attempts ? max_attempts : 1; + if (state[0].set) /* uuid */ { int found_uuid; @@ -1513,7 +1524,7 @@ GRUB_MOD_INIT (cryptodisk) { grub_disk_dev_register (&grub_cryptodisk_dev); cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, - N_("[-p password] [-k protector [-k protector ...]] <SOURCE|-u UUID|-a|-b>"), + N_("[-p password] [-k protector [-k protector ...]] [-t TRIES] <SOURCE|-u UUID|-a|-b>"), N_("Mount a crypto device."), options); grub_procfs_register ("luks_script", &luks_script); } Index: grub-2.06/grub-core/disk/luks.c =================================================================== --- grub-2.06.orig/grub-core/disk/luks.c +++ grub-2.06/grub-core/disk/luks.c @@ -31,6 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); #define LUKS_KEY_ENABLED 0x00AC71F3 +extern unsigned long max_attempts; + /* On disk LUKS header */ struct grub_luks_phdr { @@ -148,11 +150,11 @@ configure_ciphers (grub_disk_t disk, gru } static grub_err_t -luks_recover_key (grub_disk_t source, +luks_recover_key_attempt (grub_disk_t source, grub_cryptodisk_t dev, - grub_cryptomount_args_t cargs) + grub_cryptomount_args_t cargs, + struct grub_luks_phdr header) { - struct grub_luks_phdr header; grub_size_t keysize; grub_uint8_t *split_key = NULL; grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; @@ -164,10 +166,6 @@ luks_recover_key (grub_disk_t source, if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); - err = grub_disk_read (source, 0, 0, sizeof (header), &header); - if (err) - return err; - grub_puts_ (N_("Attempting to decrypt master key...")); keysize = grub_be_to_cpu32 (header.keyBytes); if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN) @@ -296,6 +294,35 @@ luks_recover_key (grub_disk_t source, return GRUB_ACCESS_DENIED; } +static grub_err_t +luks_recover_key (grub_disk_t source, + grub_cryptodisk_t dev, + grub_cryptomount_args_t cargs + ) +{ + grub_err_t err; + struct grub_luks_phdr header; + unsigned long i; + + err = grub_disk_read (source, 0, 0, sizeof (header), &header); + if (err) + return err; + + max_attempts = max_attempts ? max_attempts : 1; + for (i = 0; i < max_attempts; i++) + { + /* When i > 0, the previous failed attempt will have + * a grub_errno == GRUB_ERR_ACCESS_DENIED + */ + grub_errno = GRUB_ERR_NONE; + err = luks_recover_key_attempt(source, dev, cargs, header); + /* Anything other than GRUB_ERR_ACCESS_DENIED is success, or unrecoverable. */ + if (err != GRUB_ERR_ACCESS_DENIED && err != GRUB_ERR_BAD_ARGUMENT) + return err; + } + return err; +} + struct grub_cryptodisk_dev luks_crypto = { .scan = configure_ciphers, .recover_key = luks_recover_key Index: grub-2.06/grub-core/osdep/aros/config.c =================================================================== --- grub-2.06.orig/grub-core/osdep/aros/config.c +++ grub-2.06/grub-core/osdep/aros/config.c @@ -74,6 +74,10 @@ grub_util_load_config (struct grub_util_ if (v && v[0] == 'y' && v[1] == '\0') cfg->is_cryptodisk_enabled = 1; + v = getenv("GRUB_CRYPTODISK_ATTEMPTS"); + if (v) + cfg->cryptodisk_attempts = grub_strtoul(v, 0, 0); + v = getenv ("GRUB_DISTRIBUTOR"); if (v) cfg->grub_distributor = xstrdup (v); Index: grub-2.06/grub-core/osdep/unix/config.c =================================================================== --- grub-2.06.orig/grub-core/osdep/unix/config.c +++ grub-2.06/grub-core/osdep/unix/config.c @@ -203,6 +203,10 @@ grub_util_load_config (struct grub_util_ if (v && v[0] == 'y' && v[1] == '\0') cfg->is_cryptodisk_enabled = 1; + v = getenv("GRUB_CRYPTODISK_ATTEMPTS"); + if (v) + cfg->cryptodisk_attempts = grub_strtoul(v, 0, 0); + v = getenv ("GRUB_DISTRIBUTOR"); if (v) cfg->grub_distributor = xstrdup (v); @@ -243,8 +247,8 @@ grub_util_load_config (struct grub_util_ *ptr++ = *iptr; } - strcpy (ptr, "'; printf \"GRUB_ENABLE_CRYPTODISK=%s\\nGRUB_DISTRIBUTOR=%s\\nSUSE_BTRFS_SNAPSHOT_BOOTING=%s\\n\" " - "\"$GRUB_ENABLE_CRYPTODISK\" \"$GRUB_DISTRIBUTOR\" \"$SUSE_BTRFS_SNAPSHOT_BOOTING\""); + strcpy (ptr, "'; printf \"GRUB_ENABLE_CRYPTODISK=%s\\nGRUB_CRYPTODISK_ATTEMPTS=%s\\nGRUB_DISTRIBUTOR=%s\\nSUSE_BTRFS_SNAPSHOT_BOOTING=%s\\n\" " + "\"$GRUB_ENABLE_CRYPTODISK\" \"$GRUB_CRYPTODISK_ATTEMPTS\" \"$GRUB_DISTRIBUTOR\" \"$SUSE_BTRFS_SNAPSHOT_BOOTING\""); argv[2] = script; argv[3] = '\0'; Index: grub-2.06/grub-core/osdep/windows/config.c =================================================================== --- grub-2.06.orig/grub-core/osdep/windows/config.c +++ grub-2.06/grub-core/osdep/windows/config.c @@ -41,6 +41,10 @@ grub_util_load_config (struct grub_util_ if (v && v[0] == 'y' && v[1] == '\0') cfg->is_cryptodisk_enabled = 1; + v = getenv("GRUB_CRYPTODISK_ATTEMPTS"); + if (v) + cfg->cryptodisk_attempts = grub_strtoul(v, 0, 0); + v = getenv ("GRUB_DISTRIBUTOR"); if (v) cfg->grub_distributor = xstrdup (v); Index: grub-2.06/include/grub/emu/config.h =================================================================== --- grub-2.06.orig/include/grub/emu/config.h +++ grub-2.06/include/grub/emu/config.h @@ -37,6 +37,7 @@ struct grub_util_config { int is_cryptodisk_enabled; char *grub_distributor; + unsigned long cryptodisk_attempts; int is_suse_btrfs_snapshot_enabled; }; Index: grub-2.06/util/config.c =================================================================== --- grub-2.06.orig/util/config.c +++ grub-2.06/util/config.c @@ -23,6 +23,7 @@ #include <grub/emu/config.h> #include <grub/util/misc.h> + void grub_util_parse_config (FILE *f, struct grub_util_config *cfg, int simple) { @@ -52,6 +53,23 @@ grub_util_parse_config (FILE *f, struct cfg->is_suse_btrfs_snapshot_enabled = 1; continue; } + if (grub_strncmp (ptr, "GRUB_CRYPTODISK_ATTEMPTS=", + sizeof ("GRUB_CRYPTODISK_ATTEMPTS=") - 1) == 0) + { + ptr += sizeof ("GRUB_CRYPTODISK_ATTEMPTS=") - 1; + if (grub_strlen(ptr) > 1) + { + cfg->cryptodisk_attempts = grub_strtoul(ptr, 0, 0); + if (grub_errno == GRUB_ERR_BAD_NUMBER) + { + grub_util_warn("Bad number for GRUB_CRYPTODISK_ATTEMPTS, defaulting to 1"); + cfg->cryptodisk_attempts = 1; + /* there is no convenient way to report this */ + grub_errno = GRUB_ERR_NONE; + } + } + continue; + } if (grub_strncmp (ptr, "GRUB_DISTRIBUTOR=", sizeof ("GRUB_DISTRIBUTOR=") - 1) == 0) { Index: grub-2.06/util/grub-install.c =================================================================== --- grub-2.06.orig/util/grub-install.c +++ grub-2.06/util/grub-install.c @@ -579,7 +579,7 @@ have_bootdev (enum grub_install_plat pl) } static void -probe_cryptodisk_uuid (grub_disk_t disk) +probe_cryptodisk_uuid (grub_disk_t disk, unsigned attempts) { grub_disk_memberlist_t list = NULL, tmp; @@ -590,7 +590,7 @@ probe_cryptodisk_uuid (grub_disk_t disk) } while (list) { - probe_cryptodisk_uuid (list->disk); + probe_cryptodisk_uuid (list->disk, attempts); tmp = list->next; free (list); list = tmp; @@ -602,8 +602,8 @@ probe_cryptodisk_uuid (grub_disk_t disk) load_cfg_f = grub_util_fopen (load_cfg, "wb"); have_load_cfg = 1; - fprintf (load_cfg_f, "cryptomount -u %s\n", - uuid); + fprintf (load_cfg_f, "cryptomount -u %s -t %u\n", + uuid, attempts); } } @@ -1681,7 +1681,7 @@ main (int argc, char *argv[]) if (config.is_cryptodisk_enabled) { if (grub_dev->disk) - probe_cryptodisk_uuid (grub_dev->disk); + probe_cryptodisk_uuid (grub_dev->disk, config.cryptodisk_attempts); for (curdrive = grub_drives + 1; *curdrive; curdrive++) { @@ -1689,7 +1689,7 @@ main (int argc, char *argv[]) if (!dev) continue; if (dev->disk) - probe_cryptodisk_uuid (dev->disk); + probe_cryptodisk_uuid (dev->disk, config.cryptodisk_attempts); grub_device_close (dev); } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor