AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

grub2 with argon2

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-12-10 02:23:25 +03:00
parent 268d8c6e1f
commit e9e6c06f64
8 changed files with 3628 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
profiles/overlay.nix
View File

@ -93,6 +93,8 @@ with lib; {
EOF EOF
''; '';
}); });
grub2 = prev.callPackage ./packages/grub { };
} }
) )
]; ];

235
profiles/packages/grub/add-hidden-menu-entries.patch Normal file
View File

@ -0,0 +1,235 @@
From grub-devel Fri Apr 29 12:46:36 2016
From: Alexander Graf <agraf () suse ! de>
Date: Fri, 29 Apr 2016 12:46:36 +0000
To: grub-devel
Subject: [PATCH v3] Add hidden menu entries
Message-Id: <1461933996-31450-1-git-send-email-agraf () suse ! de>
X-MARC-Message: https://marc.info/?l=grub-devel&m=146193404929072
The menu infrastructure is quite powerful. It allows you to define menu
entries that can contain arbitrary grub commands that can do a lot more
than just boot kernel entries.
For some of these it makes sense to hide them inside the normal menu
though and instead have them available through hotkeys that get advertised
differently. My main use case is to switch to the serial console when
gfxterm is loaded.
So this patch adds support for hidden menu entries that are accessible
using hotkeys, but are not accessible in the grub menu.
Signed-off-by: Alexander Graf <agraf@suse.de>
---
v1 -> v2:
- fix default entry selection
v2 -> v3:
- replace "--hidden" parameter with new command "hiddenentry"
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
index dd9d9f1..b282c4f 100644
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@@ -133,7 +133,7 @@ legacy_file (const char *filename)
args[0] = oldname;
grub_normal_add_menu_entry (1, args, NULL, NULL, "legacy",
NULL, NULL,
- entrysrc, 0);
+ entrysrc, 0, 0);
grub_free (args);
entrysrc[0] = 0;
grub_free (oldname);
@@ -186,7 +186,7 @@ legacy_file (const char *filename)
}
args[0] = entryname;
grub_normal_add_menu_entry (1, args, NULL, NULL, NULL,
- NULL, NULL, entrysrc, 0);
+ NULL, NULL, entrysrc, 0, 0);
grub_free (args);
}
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
index 58d4dad..b4d6c31 100644
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@@ -78,7 +78,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
char **classes, const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu)
+ int submenu, int hidden)
{
int menu_hotkey = 0;
char **menu_args = NULL;
@@ -188,8 +188,11 @@ grub_normal_add_menu_entry (int argc, const char **args,
(*last)->args = menu_args;
(*last)->sourcecode = menu_sourcecode;
(*last)->submenu = submenu;
+ (*last)->hidden = hidden;
+
+ if (!hidden)
+ menu->size++;
- menu->size++;
return GRUB_ERR_NONE;
fail:
@@ -286,7 +289,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
users,
ctxt->state[2].arg, 0,
ctxt->state[3].arg,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src = args[argc - 1];
args[argc - 1] = NULL;
@@ -303,7 +307,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
ctxt->state[0].args, ctxt->state[4].arg,
users,
ctxt->state[2].arg, prefix, src + 1,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src[len - 1] = ch;
args[argc - 1] = src;
@@ -311,7 +316,7 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
return r;
}
-static grub_extcmd_t cmd, cmd_sub;
+static grub_extcmd_t cmd, cmd_sub, cmd_hidden;
void
grub_menu_init (void)
@@ -327,6 +332,13 @@ grub_menu_init (void)
| GRUB_COMMAND_FLAG_EXTRACTOR,
N_("BLOCK"), N_("Define a submenu."),
options);
+ cmd_hidden = grub_register_extcmd ("hiddenentry", grub_cmd_menuentry,
+ GRUB_COMMAND_FLAG_BLOCKS
+ | GRUB_COMMAND_ACCEPT_DASH
+ | GRUB_COMMAND_FLAG_EXTRACTOR,
+ N_("BLOCK"),
+ N_("Define a hidden menu entry."),
+ options);
}
void
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 719e2fb..2a151fe 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -40,6 +40,8 @@
grub_err_t (*grub_gfxmenu_try_hook) (int entry, grub_menu_t menu,
int nested) = NULL;
+#define MENU_INCLUDE_HIDDEN 0x10000
+
enum timeout_style {
TIMEOUT_STYLE_MENU,
TIMEOUT_STYLE_COUNTDOWN,
@@ -80,8 +82,20 @@ grub_menu_get_entry (grub_menu_t menu, int no)
{
grub_menu_entry_t e;
- for (e = menu->entry_list; e && no > 0; e = e->next, no--)
- ;
+ if (no & MENU_INCLUDE_HIDDEN) {
+ no &= ~MENU_INCLUDE_HIDDEN;
+
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--)
+ ;
+ } else {
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--) {
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+ }
+ while (e && e->hidden)
+ e = e->next;
+ }
return e;
}
@@ -93,10 +107,10 @@ get_entry_index_by_hotkey (grub_menu_t menu, int hotkey)
grub_menu_entry_t entry;
int i;
- for (i = 0, entry = menu->entry_list; i < menu->size;
+ for (i = 0, entry = menu->entry_list; entry;
i++, entry = entry->next)
if (entry->hotkey == hotkey)
- return i;
+ return i | MENU_INCLUDE_HIDDEN;
return -1;
}
@@ -510,6 +524,10 @@ get_entry_number (grub_menu_t menu, const char *name)
grub_menu_entry_t e = menu->entry_list;
int i;
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+
grub_errno = GRUB_ERR_NONE;
for (i = 0; e; i++)
@@ -521,6 +539,10 @@ get_entry_number (grub_menu_t menu, const char *name)
break;
}
e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
if (! e)
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index e22bb91..4ac2d6b 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -290,6 +290,10 @@ print_entries (grub_menu_t menu, const struct menu_viewer_data *data)
e, data);
if (e)
e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
grub_term_gotoxy (data->term,
diff --git a/include/grub/menu.h b/include/grub/menu.h
index ee2b5e9..eb8a86b 100644
--- a/include/grub/menu.h
+++ b/include/grub/menu.h
@@ -58,6 +58,8 @@ struct grub_menu_entry
int submenu;
+ int hidden;
+
/* The next element. */
struct grub_menu_entry *next;
};
diff --git a/include/grub/normal.h b/include/grub/normal.h
index 218cbab..bcb4124 100644
--- a/include/grub/normal.h
+++ b/include/grub/normal.h
@@ -145,7 +145,7 @@ grub_normal_add_menu_entry (int argc, const char **args, char **classes,
const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu);
+ int submenu, int hidden);
grub_err_t
grub_normal_set_password (const char *user, const char *password);

184
profiles/packages/grub/default.nix Normal file
View File

@ -0,0 +1,184 @@
{ lib, stdenv, fetchgit, flex, bison, python3, gnulib, libtool, bash, autoconf, automake
, gettext, ncurses, libusb-compat-0_1, freetype, qemu, lvm2, unifont, pkg-config
, buildPackages
, fetchpatch
, pkgsBuildBuild
, nixosTests
, fuse # only needed for grub-mount
, runtimeShell
, zfs ? null
, efiSupport ? false
, zfsSupport ? false
, xenSupport ? false
, kbdcompSupport ? false, ckbcomp
}:
with lib;
let
pcSystems = {
i686-linux.target = "i386";
x86_64-linux.target = "i386";
};
efiSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "aarch64";
};
# For aarch64, we need to use '--target=aarch64-efi' when building,
# but '--target=arm64-efi' when installing. Insanity!
efiSystemsInstall = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "arm64";
};
canEfi = any (system: stdenv.hostPlatform.system == system) (mapAttrsToList (name: _: name) efiSystemsBuild);
inPCSystems = any (system: stdenv.hostPlatform.system == system) (mapAttrsToList (name: _: name) pcSystems);
version = "2.06.r291";
in (
assert efiSupport -> canEfi;
assert zfsSupport -> zfs != null;
assert !(efiSupport && xenSupport);
stdenv.mkDerivation rec {
pname = "grub";
inherit version;
src = fetchgit {
url = "https://git.savannah.gnu.org/git/grub.git";
rev = "e43f3d93b28cce852c110c7a8e40d8311bcd8bb1";
hash = "sha256-8M0WqeDE4Hrwq/zlygfbAWUt7vdDeqfJLX1ADzQGM3I=";
};
patches = [
./fix-bash-completion.patch
./add-hidden-menu-entries.patch
./license.patch
./grub-2.06-luks2-argon2-v4.patch
./grub-AUR-improved-luks2.patch
./type-fix.patch
];
postPatch = if kbdcompSupport then ''
sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
'' else ''
echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
'';
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ bison flex python3 pkg-config gettext freetype autoconf automake ];
buildInputs = [ ncurses libusb-compat-0_1 freetype lvm2 fuse libtool bash ]
++ optional doCheck qemu
++ optional zfsSupport zfs;
strictDeps = true;
hardeningDisable = [ "all" ];
separateDebugInfo = !xenSupport;
# Work around a bug in the generated flex lexer (upstream flex bug?)
NIX_CFLAGS_COMPILE = "-Wno-error";
preConfigure =
'' for i in "tests/util/"*.in
do
sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
done
# Apparently, the QEMU executable is no longer called
# `qemu-system-i386', even on i386.
#
# In addition, use `-nodefaults' to avoid errors like:
#
# chardev: opening backend "stdio" failed
# qemu: could not open serial device 'stdio': Invalid argument
#
# See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
sed -i "tests/util/grub-shell.in" \
-e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
unset CPP # setting CPP intereferes with dependency calculation
patchShebangs .
./bootstrap --no-git --gnulib-srcdir=${gnulib}
substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
'';
configureFlags = [
"--enable-grub-mount" # dep of os-prober
] ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
# grub doesn't do cross-compilation as usual and tries to use unprefixed
# tools to target the host. Provide toolchain information explicitly for
# cross builds.
#
# Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
"TARGET_CC=${stdenv.cc.targetPrefix}cc"
"TARGET_NM=${stdenv.cc.targetPrefix}nm"
"TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
"TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
"TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
] ++ optional zfsSupport "--enable-libzfs"
++ optionals efiSupport [ "--with-platform=efi" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}" "--program-prefix=" ]
++ optionals xenSupport [ "--with-platform=xen" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"];
# save target that grub is compiled for
grubTarget = if efiSupport
then "${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
else if inPCSystems
then "${pcSystems.${stdenv.hostPlatform.system}.target}-pc"
else "";
doCheck = false;
enableParallelBuilding = true;
postInstall = ''
# Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
# just adding bash to buildInputs wasn't enough to fix the shebang
substituteInPlace $out/lib/grub/*/modinfo.sh \
--replace ${buildPackages.bash} "/usr/bin/bash"
'';
passthru.tests = {
nixos-grub = nixosTests.grub;
nixos-install-simple = nixosTests.installer.simple;
nixos-install-grub1 = nixosTests.installer.grub1;
nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
};
meta = with lib; {
description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
longDescription =
'' GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
Unified Bootloader, which was originally designed and implemented by
Erich Stefan Boleyn.
Briefly, the boot loader is the first software program that runs when a
computer starts. It is responsible for loading and transferring
control to the operating system kernel software (such as the Hurd or
the Linux). The kernel, in turn, initializes the rest of the
operating system (e.g., GNU).
'';
homepage = "https://www.gnu.org/software/grub/";
license = licenses.gpl3Plus;
platforms = platforms.gnu ++ platforms.linux;
maintainers = [ maintainers.samueldr ];
};
})

24
profiles/packages/grub/fix-bash-completion.patch Normal file
View File

@ -0,0 +1,24 @@
diff -ubr grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in grub-2.00/util/bash-completion.d/grub-completion.bash.in
--- grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:02:36.342733957 +0200
+++ grub-2.00/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:04:48.262733941 +0200
@@ -17,6 +17,12 @@
# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
# bash completion for grub
+have()
+{
+ unset -v have
+ _have $1 && have=yes
+}
+
__grub_dir() {
local i c=1 boot_dir
@@ -479,6 +485,7 @@
have ${__grub_script_check_program} && \
complete -F _grub_script_check -o filenames ${__grub_script_check_program}
+unset -f have
# Local variables:
# mode: shell-script

2827
profiles/packages/grub/grub-2.06-luks2-argon2-v4.patch Normal file
View File

File diff suppressed because it is too large Load Diff

306
profiles/packages/grub/grub-AUR-improved-luks2.patch Normal file
View File

@ -0,0 +1,306 @@
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index 4ee5aeaad..e3eca68ca 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -353,8 +353,16 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
{
grub_cryptodisk_t cryptodisk;
grub_luks2_header_t header;
+ grub_luks2_keyslot_t keyslot;
+ grub_luks2_digest_t digest;
+ grub_luks2_segment_t segment;
+ char cipher[32], *json_header = NULL, *ptr;
+ grub_size_t candidate_key_len = 0, json_idx, size;
char uuid[sizeof (header.uuid) + 1];
grub_size_t i, j;
+ grub_err_t ret;
+ gcry_md_spec_t *hash = NULL;
+ grub_json_t *json = NULL, keyslots;
if (cargs->check_boot)
return NULL;
@@ -364,6 +372,175 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
grub_errno = GRUB_ERR_NONE;
return NULL;
}
+ json_header = grub_zalloc (grub_be_to_cpu64 (header.hdr_size) - sizeof (header));
+ if (!json_header)
+ return GRUB_ERR_OUT_OF_MEMORY;
+
+ /* Read the JSON area. */
+ ret = grub_disk_read (disk, 0, grub_be_to_cpu64 (header.hdr_offset) + sizeof (header),
+ grub_be_to_cpu64 (header.hdr_size) - sizeof (header), json_header);
+ if (ret)
+ goto err;
+
+ ptr = grub_memchr (json_header, 0, grub_be_to_cpu64 (header.hdr_size) - sizeof (header));
+ if (!ptr)
+ goto err;
+
+ ret = grub_json_parse (&json, json_header, grub_be_to_cpu64 (header.hdr_size));
+ if (ret)
+ {
+ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid LUKS2 JSON header");
+ goto err;
+ }
+
+ if (grub_json_getvalue (&keyslots, json, "keyslots") ||
+ grub_json_getsize (&size, &keyslots))
+ {
+ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Could not get keyslots");
+ goto err;
+ }
+
+ if (grub_disk_native_sectors (disk) == GRUB_DISK_SIZE_UNKNOWN)
+ {
+ /* FIXME: Allow use of source disk, and maybe cause errors in read. */
+ grub_dprintf ("luks2", "Source disk %s has an unknown size, "
+ "conservatively returning error\n", disk->name);
+ ret = grub_error (GRUB_ERR_BUG, "Unknown size of luks2 source device");
+ goto err;
+ }
+
+ cryptodisk = grub_zalloc (sizeof (*cryptodisk));
+ if (!cryptodisk)
+ return NULL;
+
+
+ /* Try all keyslot */
+ for (json_idx = 0; json_idx < size; json_idx++)
+ {
+ char indexstr[21]; /* log10(2^64) ~ 20, plus NUL character. */
+ typeof (disk->total_sectors) max_crypt_sectors = 0;
+
+ grub_errno = GRUB_ERR_NONE;
+ ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx);
+ if (ret)
+ goto err;
+ if (grub_errno != GRUB_ERR_NONE)
+ grub_dprintf ("luks2", "Ignoring unhandled error %d from luks2_get_keyslot\n", grub_errno);
+
+ if (keyslot.priority == 0)
+ {
+ grub_dprintf ("luks2", "Ignoring keyslot \"%" PRIuGRUB_UINT64_T "\" due to priority\n", keyslot.idx);
+ continue;
+ }
+
+ grub_dprintf ("luks2", "Trying keyslot \"%" PRIuGRUB_UINT64_T "\"\n", keyslot.idx);
+
+ /* Sector size should be one of 512, 1024, 2048, or 4096. */
+ if (!(segment.sector_size == 512 || segment.sector_size == 1024 ||
+ segment.sector_size == 2048 || segment.sector_size == 4096))
+ {
+ grub_dprintf ("luks2", "Segment \"%" PRIuGRUB_UINT64_T "\" sector"
+ " size %" PRIuGRUB_UINT64_T " is not one of"
+ " 512, 1024, 2048, or 4096\n",
+ segment.idx, segment.sector_size);
+ continue;
+ }
+
+ /* Set up disk according to keyslot's segment. */
+ cryptodisk->offset_sectors = grub_divmod64 (segment.offset, segment.sector_size, NULL);
+ cryptodisk->log_sector_size = grub_log2ull (segment.sector_size);
+ /* Set to the source disk/partition size, which is the maximum we allow. */
+ max_crypt_sectors = grub_disk_native_sectors (disk);
+ max_crypt_sectors = grub_convert_sector (max_crypt_sectors, GRUB_DISK_SECTOR_BITS,
+ cryptodisk->log_sector_size);
+
+ if (max_crypt_sectors < cryptodisk->offset_sectors)
+ {
+ grub_dprintf ("luks2", "Segment \"%" PRIuGRUB_UINT64_T "\" has offset"
+ " %" PRIuGRUB_UINT64_T " which is greater than"
+ " source disk size %" PRIuGRUB_UINT64_T ","
+ " skipping\n", segment.idx, cryptodisk->offset_sectors,
+ max_crypt_sectors);
+ continue;
+ }
+
+ if (grub_strcmp (segment.size, "dynamic") == 0)
+ cryptodisk->total_sectors = max_crypt_sectors - cryptodisk->offset_sectors;
+ else
+ {
+ grub_errno = GRUB_ERR_NONE;
+
+ /* Convert segment.size to sectors, rounding up to nearest sector */
+ cryptodisk->total_sectors = grub_strtoull (segment.size, NULL, 10);
+
+ if (grub_errno == GRUB_ERR_NONE)
+ {
+ cryptodisk->total_sectors = ALIGN_UP (cryptodisk->total_sectors,
+ 1 << cryptodisk->log_sector_size);
+ cryptodisk->total_sectors >>= cryptodisk->log_sector_size;
+ }
+ else if (grub_errno == GRUB_ERR_BAD_NUMBER)
+ {
+ grub_dprintf ("luks2", "Segment \"%" PRIuGRUB_UINT64_T "\" size"
+ " \"%s\" is not a parsable number,"
+ " skipping keyslot\n",
+ segment.idx, segment.size);
+ continue;
+ }
+ else if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
+ {
+ /*
+ * There was an overflow in parsing segment.size, so disk must
+ * be very large or the string is incorrect.
+ *
+ * TODO: Allow reading of at least up max_crypt_sectors. Really,
+ * its very unlikely one would be booting from such a large drive
+ * anyway. Use another smaller LUKS2 boot device.
+ */
+ grub_dprintf ("luks2", "Segment \"%" PRIuGRUB_UINT64_T "\" size"
+ " %s overflowed 64-bit unsigned integer,"
+ " skipping keyslot\n", segment.idx, segment.size);
+ continue;
+ }
+ }
+
+ if (cryptodisk->total_sectors == 0)
+ {
+ grub_dprintf ("luks2", "Segment \"%" PRIuGRUB_UINT64_T "\" has zero"
+ " sectors, skipping\n", segment.idx);
+ continue;
+ }
+ else if (max_crypt_sectors < (cryptodisk->offset_sectors + cryptodisk->total_sectors))
+ {
+ grub_dprintf ("luks2", "Segment \"%" PRIuGRUB_UINT64_T "\" has last"
+ " data position greater than source disk size,"
+ " the end of the crypto device will be"
+ " inaccessible\n", segment.idx);
+
+ /* Allow decryption up to the end of the source disk. */
+ cryptodisk->total_sectors = max_crypt_sectors - cryptodisk->offset_sectors;
+ }
+
+ /* Set up disk hash. */
+ if (keyslot.kdf.type == LUKS2_KDF_TYPE_PBKDF2)
+ {
+ hash = grub_crypto_lookup_md_by_name (keyslot.kdf.u.pbkdf2.hash);
+ if (!hash)
+ {
+ ret = grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
+ keyslot.kdf.u.pbkdf2.hash);
+ goto err;
+ }
+ if (cryptodisk->hash)
+ {
+ if (grub_strcmp(hash->name, cryptodisk->hash->name)) {
+ ret = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "LUKS2 Module does not support using multiple SHA versions.");
+ goto err;
+ }
+ } else
+ cryptodisk->hash = hash;
+ }
+ }
for (i = 0, j = 0; i < sizeof (header.uuid); i++)
if (header.uuid[i] != '-')
@@ -376,15 +553,39 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
return NULL;
}
- cryptodisk = grub_zalloc (sizeof (*cryptodisk));
- if (!cryptodisk)
- return NULL;
-
COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));
+ hash = grub_crypto_lookup_md_by_name (digest.hash);
+ if (cryptodisk->hash) {
+ if (grub_strcmp(hash->name, cryptodisk->hash->name)) {
+ ret = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "LUKS2 Module does not support using multiple SHA versions.");
+ goto err;
+ }
+ } else
+ cryptodisk->hash = hash;
+
+ /* Set up disk cipher. */
+ grub_strncpy (cipher, segment.encryption, sizeof (cipher));
+ ptr = grub_memchr (cipher, '-', grub_strlen (cipher));
+ if (!ptr) {
+ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid encryption");
+ goto err;
+ }
+ *ptr = '\0';
+
+ ret = grub_cryptodisk_setcipher (cryptodisk, cipher, ptr + 1);
+ if (ret)
+ goto err;
+
+
cryptodisk->modname = "luks2";
return cryptodisk;
+err:
+ grub_free (json_header);
+ grub_json_free (json);
+ grub_errno = ret;
+ return NULL;
}
static grub_err_t
diff --git a/grub-core/osdep/devmapper/getroot.c b/grub-core/osdep/devmapper/getroot.c
index 9ba5c9865..9ae1780c9 100644
--- a/grub-core/osdep/devmapper/getroot.c
+++ b/grub-core/osdep/devmapper/getroot.c
@@ -141,7 +141,12 @@ grub_util_get_dm_abstraction (const char *os_dev)
if (strncmp (uuid, "CRYPT-LUKS1-", 12) == 0)
{
grub_free (uuid);
- return GRUB_DEV_ABSTRACTION_LUKS;
+ return GRUB_DEV_ABSTRACTION_LUKS1;
+ }
+ if (strncmp (uuid, "CRYPT-LUKS2-", 12) == 0)
+ {
+ grub_free (uuid);
+ return GRUB_DEV_ABSTRACTION_LUKS2;
}
grub_free (uuid);
@@ -179,7 +184,7 @@ grub_util_pull_devmapper (const char *os_dev)
grub_util_pull_device (subdev);
}
}
- if (uuid && strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0
+ if (uuid && (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0 || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0)
&& lastsubdev)
{
char *grdev = grub_util_get_grub_dev (lastsubdev);
@@ -249,7 +254,8 @@ grub_util_get_devmapper_grub_dev (const char *os_dev)
return grub_dev;
}
- case GRUB_DEV_ABSTRACTION_LUKS:
+ case GRUB_DEV_ABSTRACTION_LUKS1:
+ case GRUB_DEV_ABSTRACTION_LUKS2:
{
char *dash;
diff --git a/include/grub/emu/getroot.h b/include/grub/emu/getroot.h
index 73fa2d34a..1a27faf28 100644
--- a/include/grub/emu/getroot.h
+++ b/include/grub/emu/getroot.h
@@ -29,7 +29,8 @@ enum grub_dev_abstraction_types {
GRUB_DEV_ABSTRACTION_NONE,
GRUB_DEV_ABSTRACTION_LVM,
GRUB_DEV_ABSTRACTION_RAID,
- GRUB_DEV_ABSTRACTION_LUKS,
+ GRUB_DEV_ABSTRACTION_LUKS1,
+ GRUB_DEV_ABSTRACTION_LUKS2,
GRUB_DEV_ABSTRACTION_GELI,
};
diff --git a/util/getroot.c b/util/getroot.c
index a5eaa64fd..76d86c174 100644
--- a/util/getroot.c
+++ b/util/getroot.c
@@ -100,7 +100,8 @@ grub_util_pull_device (const char *os_dev)
case GRUB_DEV_ABSTRACTION_LVM:
grub_util_pull_lvm_by_command (os_dev);
/* Fallthrough - in case that lvm-tools are unavailable. */
- case GRUB_DEV_ABSTRACTION_LUKS:
+ case GRUB_DEV_ABSTRACTION_LUKS1:
+ case GRUB_DEV_ABSTRACTION_LUKS2:
grub_util_pull_devmapper (os_dev);
return;

28
profiles/packages/grub/license.patch Normal file
View File

@ -0,0 +1,28 @@
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index e447fd0fa..6121a46e1 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -467,7 +467,8 @@ grub_dl_check_license (grub_dl_t mod, Elf_Ehdr *e)
if (grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3") == 0
|| grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3+") == 0
- || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0)
+ || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0
+ || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=CC0") == 0)
return GRUB_ERR_NONE;
return grub_error (GRUB_ERR_BAD_MODULE,
diff --git a/util/grub-module-verifierXX.c b/util/grub-module-verifierXX.c
index cf3ff0dfa..123322337 100644
--- a/util/grub-module-verifierXX.c
+++ b/util/grub-module-verifierXX.c
@@ -212,7 +212,8 @@ check_license (const char * const filename,
Elf_Shdr *s = find_section (arch, e, ".module_license");
if (s && (strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3") == 0
|| strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3+") == 0
- || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv2+") == 0))
+ || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv2+") == 0
+ || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=CC0") == 0))
return;
grub_util_error ("%s: incompatible license", filename);
}

22
profiles/packages/grub/type-fix.patch Normal file
View File

@ -0,0 +1,22 @@
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index bf741d70f..ccfacb63a 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -390,7 +390,7 @@ luks2_verify_key (grub_luks2_digest_t *d, grub_uint8_t *candidate_key,
{
grub_uint8_t candidate_digest[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN], salt[GRUB_CRYPTODISK_MAX_KEYLEN];
- idx_t saltlen = sizeof (salt), digestlen = sizeof (digest);
+ grub_size_t saltlen = sizeof (salt), digestlen = sizeof (digest);
const gcry_md_spec_t *hash;
gcry_err_code_t gcry_ret;
@@ -429,7 +429,7 @@ luks2_decrypt_key (grub_uint8_t *out_key,
grub_uint8_t area_key[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t *split_key = NULL;
- idx_t saltlen = sizeof (salt);
+ grub_size_t saltlen = sizeof (salt);
char cipher[32], *p;
const gcry_md_spec_t *hash;
gcry_err_code_t gcry_ret;