From c5d4bac1047c69c62a6a06834140872f97211830 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20Guzm=C3=A1n?= <ark@switnet.org>
Date: Wed, 22 Sep 2021 21:22:57 +0000
Subject: [PATCH] Adjust grub2 to nabia release version
---
...tomount-support-LUKS-detached-header.patch | 494 +++----
.../0002-Cryptomount-support-key-files.patch | 410 +++---
...s-allow-multiple-passphrase-attempts.patch | 658 ++++-----
...4-Cryptomount-support-plain-dm-crypt.patch | 1292 +++++++++--------
...ptomount-support-for-hyphens-in-UUID.patch | 246 ++--
...rt-for-using-whole-device-as-keyfile.patch | 114 ++
...or-using-a-whole-device-as-a-keyfile.patch | 111 --
helpers/make-grub2 | 6 +-
8 files changed, 1683 insertions(+), 1648 deletions(-)
create mode 100644 helpers/DATA/grub2/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
delete mode 100644 helpers/DATA/grub2/0007-Add-support-for-using-a-whole-device-as-a-keyfile.patch
diff --git a/helpers/DATA/grub2/0001-Cryptomount-support-LUKS-detached-header.patch b/helpers/DATA/grub2/0001-Cryptomount-support-LUKS-detached-header.patch
index ed27dc495..5d6bd237d 100644
--- a/helpers/DATA/grub2/0001-Cryptomount-support-LUKS-detached-header.patch
+++ b/helpers/DATA/grub2/0001-Cryptomount-support-LUKS-detached-header.patch
@@ -1,247 +1,253 @@
-From 5c643ba894421ac78c3fe18ff9548d8e9fa82ed4 Mon Sep 17 00:00:00 2001
-From: John Lane <john@lane.uk.net>
-Date: Tue, 23 Jun 2015 11:16:30 +0100
-Subject: [PATCH 1/5] Cryptomount support LUKS detached header
-
----
- grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++----
- grub-core/disk/geli.c | 7 +++++--
- grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++--------
- include/grub/cryptodisk.h | 5 +++--
- 4 files changed, 63 insertions(+), 16 deletions(-)
-
-diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index 82a3dcb..6f596a0 100644
---- a/grub-core/disk/cryptodisk.c
-+++ b/grub-core/disk/cryptodisk.c
-@@ -40,6 +40,7 @@ static const struct grub_arg_option options[] =
- /* TRANSLATORS: It's still restricted to cryptodisks only. */
- {"all", 'a', 0, N_("Mount all."), 0, 0},
- {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
-+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
- {0, 0, 0, 0, 0, 0}
- };
-
-@@ -803,6 +804,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
-
- static int check_boot, have_it;
- static char *search_uuid;
-+static grub_file_t hdr;
-
- static void
- cryptodisk_close (grub_cryptodisk_t dev)
-@@ -827,13 +829,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
-
- FOR_CRYPTODISK_DEVS (cr)
- {
-- dev = cr->scan (source, search_uuid, check_boot);
-+ dev = cr->scan (source, search_uuid, check_boot, hdr);
- if (grub_errno)
- return grub_errno;
- if (!dev)
- continue;
-
-- err = cr->recover_key (source, dev);
-+ err = cr->recover_key (source, dev, hdr);
- if (err)
- {
- cryptodisk_close (dev);
-@@ -874,7 +876,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
-
- FOR_CRYPTODISK_DEVS (cr)
- {
-- dev = cr->scan (source, search_uuid, check_boot);
-+ dev = cr->scan (source, search_uuid, check_boot,0);
- if (grub_errno)
- return grub_errno;
- if (!dev)
-@@ -928,6 +930,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
- if (argc < 1 && !state[1].set && !state[2].set)
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
-
-+ if (state[3].set) /* LUKS detached header */
-+ {
-+ if (state[0].set) /* Cannot use UUID lookup with detached header */
-+ return GRUB_ERR_BAD_ARGUMENT;
+diff --git a/0001-Cryptomount-support-LUKS-detached-header.patch b/0001-Cryptomount-support-LUKS-detached-header.patch
+new file mode 100644
+index 00000000000..65943f41b8c
+--- /dev/null
++++ b/0001-Cryptomount-support-LUKS-detached-header.patch
+@@ -0,0 +1,247 @@
++From 2008e08c0a511da5d454664363f452a9e26c734f Mon Sep 17 00:00:00 2001
++From: John Lane <john@lane.uk.net>
++Date: Tue, 23 Jun 2015 11:16:30 +0100
++Subject: [PATCH 1/7] Cryptomount support LUKS detached header
+
-+ hdr = grub_file_open (state[3].arg);
-+ if (!hdr)
-+ return grub_errno;
-+ }
-+ else
-+ hdr = NULL;
++---
++ grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++----
++ grub-core/disk/geli.c | 7 +++++--
++ grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++--------
++ include/grub/cryptodisk.h | 5 +++--
++ 4 files changed, 63 insertions(+), 16 deletions(-)
+
- have_it = 0;
- if (state[0].set)
- {
-@@ -1125,7 +1139,7 @@ GRUB_MOD_INIT (cryptodisk)
- {
- grub_disk_dev_register (&grub_cryptodisk_dev);
- cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
-- N_("SOURCE|-u UUID|-a|-b"),
-+ N_("SOURCE|-u UUID|-a|-b|-H file"),
- N_("Mount a crypto device."), options);
- grub_procfs_register ("luks_script", &luks_script);
- }
-diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
-index e9d2329..f4394eb 100644
---- a/grub-core/disk/geli.c
-+++ b/grub-core/disk/geli.c
-@@ -52,6 +52,7 @@
- #include <grub/dl.h>
- #include <grub/err.h>
- #include <grub/disk.h>
-+#include <grub/file.h>
- #include <grub/crypto.h>
- #include <grub/partition.h>
- #include <grub/i18n.h>
-@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
-
- static grub_cryptodisk_t
- configure_ciphers (grub_disk_t disk, const char *check_uuid,
-- int boot_only)
-+ int boot_only,
-+ grub_file_t hdr __attribute__ ((unused)) )
- {
- grub_cryptodisk_t newdev;
- struct grub_geli_phdr header;
-@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- }
-
- static grub_err_t
--recover_key (grub_disk_t source, grub_cryptodisk_t dev)
-+recover_key (grub_disk_t source, grub_cryptodisk_t dev,
-+ grub_file_t hdr __attribute__ ((unused)) )
- {
- grub_size_t keysize;
- grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 86c50c6..66e64c0 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -23,6 +23,7 @@
- #include <grub/dl.h>
- #include <grub/err.h>
- #include <grub/disk.h>
-+#include <grub/file.h>
- #include <grub/crypto.h>
- #include <grub/partition.h>
- #include <grub/i18n.h>
-@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
-
- static grub_cryptodisk_t
- configure_ciphers (grub_disk_t disk, const char *check_uuid,
-- int check_boot)
-+ int check_boot, grub_file_t hdr)
- {
- grub_cryptodisk_t newdev;
- const char *iptr;
-@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int benbi_log = 0;
- grub_err_t err;
-
-+ err = GRUB_ERR_NONE;
++diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
++index bd60a66b3..5230a5a9a 100644
++--- a/grub-core/disk/cryptodisk.c
+++++ b/grub-core/disk/cryptodisk.c
++@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
++ /* TRANSLATORS: It's still restricted to cryptodisks only. */
++ {"all", 'a', 0, N_("Mount all."), 0, 0},
++ {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+++ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
++ {0, 0, 0, 0, 0, 0}
++ };
++
++@@ -809,6 +810,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
++
++ static int check_boot, have_it;
++ static char *search_uuid;
+++static grub_file_t hdr;
++
++ static void
++ cryptodisk_close (grub_cryptodisk_t dev)
++@@ -833,13 +835,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
++
++ FOR_CRYPTODISK_DEVS (cr)
++ {
++- dev = cr->scan (source, search_uuid, check_boot);
+++ dev = cr->scan (source, search_uuid, check_boot, hdr);
++ if (grub_errno)
++ return grub_errno;
++ if (!dev)
++ continue;
++
++- err = cr->recover_key (source, dev);
+++ err = cr->recover_key (source, dev, hdr);
++ if (err)
++ {
++ cryptodisk_close (dev);
++@@ -880,7 +882,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
++
++ FOR_CRYPTODISK_DEVS (cr)
++ {
++- dev = cr->scan (source, search_uuid, check_boot);
+++ dev = cr->scan (source, search_uuid, check_boot,0);
++ if (grub_errno)
++ return grub_errno;
++ if (!dev)
++@@ -934,6 +936,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
++ if (argc < 1 && !state[1].set && !state[2].set)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
++
+++ if (state[3].set) /* LUKS detached header */
+++ {
+++ if (state[0].set) /* Cannot use UUID lookup with detached header */
+++ return GRUB_ERR_BAD_ARGUMENT;
+++
+++ hdr = grub_file_open (state[3].arg, GRUB_FILE_TYPE_NONE);
+++ if (!hdr)
+++ return grub_errno;
+++ }
+++ else
+++ hdr = NULL;
+++
++ have_it = 0;
++ if (state[0].set)
++ {
++@@ -1141,7 +1155,7 @@ GRUB_MOD_INIT (cryptodisk)
++ {
++ grub_disk_dev_register (&grub_cryptodisk_dev);
++ cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
++- N_("SOURCE|-u UUID|-a|-b"),
+++ N_("SOURCE|-u UUID|-a|-b|-H file"),
++ N_("Mount a crypto device."), options);
++ grub_procfs_register ("luks_script", &luks_script);
++ }
++diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
++index e9d23299a..f4394eb42 100644
++--- a/grub-core/disk/geli.c
+++++ b/grub-core/disk/geli.c
++@@ -52,6 +52,7 @@
++ #include <grub/dl.h>
++ #include <grub/err.h>
++ #include <grub/disk.h>
+++#include <grub/file.h>
++ #include <grub/crypto.h>
++ #include <grub/partition.h>
++ #include <grub/i18n.h>
++@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
++
++ static grub_cryptodisk_t
++ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++- int boot_only)
+++ int boot_only,
+++ grub_file_t hdr __attribute__ ((unused)) )
++ {
++ grub_cryptodisk_t newdev;
++ struct grub_geli_phdr header;
++@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ }
++
++ static grub_err_t
++-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+++recover_key (grub_disk_t source, grub_cryptodisk_t dev,
+++ grub_file_t hdr __attribute__ ((unused)) )
++ {
++ grub_size_t keysize;
++ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
++diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
++index 86c50c612..66e64c0e0 100644
++--- a/grub-core/disk/luks.c
+++++ b/grub-core/disk/luks.c
++@@ -23,6 +23,7 @@
++ #include <grub/dl.h>
++ #include <grub/err.h>
++ #include <grub/disk.h>
+++#include <grub/file.h>
++ #include <grub/crypto.h>
++ #include <grub/partition.h>
++ #include <grub/i18n.h>
++@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
++
++ static grub_cryptodisk_t
++ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++- int check_boot)
+++ int check_boot, grub_file_t hdr)
++ {
++ grub_cryptodisk_t newdev;
++ const char *iptr;
++@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ int benbi_log = 0;
++ grub_err_t err;
++
+++ err = GRUB_ERR_NONE;
+++
++ if (check_boot)
++ return NULL;
++
++ /* Read the LUKS header. */
++- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+++ if (hdr)
+++ {
+++ grub_file_seek (hdr, 0);
+++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+++ err = GRUB_ERR_READ_ERROR;
+++ }
+++ else
+++ err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+++
++ if (err)
++ {
++ if (err == GRUB_ERR_OUT_OF_RANGE)
++@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
++ newdev->modname = "luks";
++ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
+++
++ return newdev;
++ }
++
++ static grub_err_t
++ luks_recover_key (grub_disk_t source,
++- grub_cryptodisk_t dev)
+++ grub_cryptodisk_t dev,
+++ grub_file_t hdr)
++ {
++ struct grub_luks_phdr header;
++ grub_size_t keysize;
++@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source,
++ grub_err_t err;
++ grub_size_t max_stripes = 1;
++ char *tmp;
+++ grub_uint32_t sector;
+++
+++ err = GRUB_ERR_NONE;
+++
+++ if (hdr)
+++ {
+++ grub_file_seek (hdr, 0);
+++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+++ err = GRUB_ERR_READ_ERROR;
+++ }
+++ else
+++ err = grub_disk_read (source, 0, 0, sizeof (header), &header);
++
++- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
++ if (err)
++ return err;
++
++@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source,
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
+++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
++ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
++
++ /* Read and decrypt the key material from the disk. */
++- err = grub_disk_read (source,
++- grub_be_to_cpu32 (header.keyblock
++- [i].keyMaterialOffset), 0,
++- length, split_key);
+++ if (hdr)
+++ {
+++ grub_file_seek (hdr, sector * 512);
+++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+++ err = GRUB_ERR_READ_ERROR;
+++ }
+++ else
+++ err = grub_disk_read (source, sector, 0, length, split_key);
++ if (err)
++ {
++ grub_free (split_key);
++diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
++index 32f564ae0..4e6e89a93 100644
++--- a/include/grub/cryptodisk.h
+++++ b/include/grub/cryptodisk.h
++@@ -20,6 +20,7 @@
++ #define GRUB_CRYPTODISK_HEADER 1
++
++ #include <grub/disk.h>
+++#include <grub/file.h>
++ #include <grub/crypto.h>
++ #include <grub/list.h>
++ #ifdef GRUB_UTIL
++@@ -107,8 +108,8 @@ struct grub_cryptodisk_dev
++ struct grub_cryptodisk_dev **prev;
++
++ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
++- int boot_only);
++- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
+++ int boot_only, grub_file_t hdr);
+++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
++ };
++ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
++
++--
++2.16.2
+
- if (check_boot)
- return NULL;
-
- /* Read the LUKS header. */
-- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
-+ if (hdr)
-+ {
-+ grub_file_seek (hdr, 0);
-+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
-+ err = GRUB_ERR_READ_ERROR;
-+ }
-+ else
-+ err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
-+
- if (err)
- {
- if (err == GRUB_ERR_OUT_OF_RANGE)
-@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
- newdev->modname = "luks";
- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
-+
- return newdev;
- }
-
- static grub_err_t
- luks_recover_key (grub_disk_t source,
-- grub_cryptodisk_t dev)
-+ grub_cryptodisk_t dev,
-+ grub_file_t hdr)
- {
- struct grub_luks_phdr header;
- grub_size_t keysize;
-@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source,
- grub_err_t err;
- grub_size_t max_stripes = 1;
- char *tmp;
-+ grub_uint32_t sector;
-+
-+ err = GRUB_ERR_NONE;
-+
-+ if (hdr)
-+ {
-+ grub_file_seek (hdr, 0);
-+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
-+ err = GRUB_ERR_READ_ERROR;
-+ }
-+ else
-+ err = grub_disk_read (source, 0, 0, sizeof (header), &header);
-
-- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- if (err)
- return err;
-
-@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source,
- return grub_crypto_gcry_error (gcry_err);
- }
-
-+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
-
- /* Read and decrypt the key material from the disk. */
-- err = grub_disk_read (source,
-- grub_be_to_cpu32 (header.keyblock
-- [i].keyMaterialOffset), 0,
-- length, split_key);
-+ if (hdr)
-+ {
-+ grub_file_seek (hdr, sector * 512);
-+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
-+ err = GRUB_ERR_READ_ERROR;
-+ }
-+ else
-+ err = grub_disk_read (source, sector, 0, length, split_key);
- if (err)
- {
- grub_free (split_key);
-diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
-index f2ad2a7..16dee3c 100644
---- a/include/grub/cryptodisk.h
-+++ b/include/grub/cryptodisk.h
-@@ -20,6 +20,7 @@
- #define GRUB_CRYPTODISK_HEADER 1
-
- #include <grub/disk.h>
-+#include <grub/file.h>
- #include <grub/crypto.h>
- #include <grub/list.h>
- #ifdef GRUB_UTIL
-@@ -106,8 +107,8 @@ struct grub_cryptodisk_dev
- struct grub_cryptodisk_dev **prev;
-
- grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
-- int boot_only);
-- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
-+ int boot_only, grub_file_t hdr);
-+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
- };
- typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
-
---
-2.1.2
-
diff --git a/helpers/DATA/grub2/0002-Cryptomount-support-key-files.patch b/helpers/DATA/grub2/0002-Cryptomount-support-key-files.patch
index c4302e8a0..31063013f 100644
--- a/helpers/DATA/grub2/0002-Cryptomount-support-key-files.patch
+++ b/helpers/DATA/grub2/0002-Cryptomount-support-key-files.patch
@@ -1,205 +1,211 @@
-From 802a23fc503a3c09f167883f05c759471243b4d3 Mon Sep 17 00:00:00 2001
-From: John Lane <john@lane.uk.net>
-Date: Fri, 26 Jun 2015 13:37:10 +0100
-Subject: [PATCH 2/5] Cryptomount support key files
-
----
- grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-
- grub-core/disk/geli.c | 4 +++-
- grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++--------------
- include/grub/cryptodisk.h | 5 ++++-
- 4 files changed, 82 insertions(+), 17 deletions(-)
-
-diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index 6f596a0..a27e70c 100644
---- a/grub-core/disk/cryptodisk.c
-+++ b/grub-core/disk/cryptodisk.c
-@@ -41,6 +41,9 @@ static const struct grub_arg_option options[] =
- {"all", 'a', 0, N_("Mount all."), 0, 0},
- {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
- {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
-+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
-+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
-+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
- {0, 0, 0, 0, 0, 0}
- };
-
-@@ -805,6 +808,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
- static int check_boot, have_it;
- static char *search_uuid;
- static grub_file_t hdr;
-+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
-+static grub_size_t keyfile_size;
-
- static void
- cryptodisk_close (grub_cryptodisk_t dev)
-@@ -835,7 +840,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
- if (!dev)
- continue;
-
-- err = cr->recover_key (source, dev, hdr);
-+ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
- if (err)
- {
- cryptodisk_close (dev);
-@@ -943,6 +948,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
- hdr = NULL;
-
- have_it = 0;
-+ key = NULL;
+diff --git a/0002-Cryptomount-support-key-files.patch b/0002-Cryptomount-support-key-files.patch
+new file mode 100644
+index 00000000000..43af5ff3cbf
+--- /dev/null
++++ b/0002-Cryptomount-support-key-files.patch
+@@ -0,0 +1,205 @@
++From df3aa34cc68b128c5441ee25ef092e6c2c87392e Mon Sep 17 00:00:00 2001
++From: John Lane <john@lane.uk.net>
++Date: Fri, 26 Jun 2015 13:37:10 +0100
++Subject: [PATCH 2/7] Cryptomount support key files
+
-+ if (state[4].set) /* Key file; fails back to passphrase entry */
-+ {
-+ grub_file_t keyfile;
-+ int keyfile_offset;
-+ grub_size_t requested_keyfile_size;
++---
++ grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-
++ grub-core/disk/geli.c | 4 +++-
++ grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++--------------
++ include/grub/cryptodisk.h | 5 ++++-
++ 4 files changed, 82 insertions(+), 17 deletions(-)
+
-+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
++diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
++index 5230a5a9a..5261af547 100644
++--- a/grub-core/disk/cryptodisk.c
+++++ b/grub-core/disk/cryptodisk.c
++@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
++ {"all", 'a', 0, N_("Mount all."), 0, 0},
++ {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
++ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
+++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
++ {0, 0, 0, 0, 0, 0}
++ };
++
++@@ -811,6 +814,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
++ static int check_boot, have_it;
++ static char *search_uuid;
++ static grub_file_t hdr;
+++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+++static grub_size_t keyfile_size;
++
++ static void
++ cryptodisk_close (grub_cryptodisk_t dev)
++@@ -841,7 +846,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
++ if (!dev)
++ continue;
++
++- err = cr->recover_key (source, dev, hdr);
+++ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
++ if (err)
++ {
++ cryptodisk_close (dev);
++@@ -949,6 +954,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
++ hdr = NULL;
++
++ have_it = 0;
+++ key = NULL;
+++
+++ if (state[4].set) /* Key file; fails back to passphrase entry */
+++ {
+++ grub_file_t keyfile;
+++ int keyfile_offset;
+++ grub_size_t requested_keyfile_size;
+++
+++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
+++
+++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
+++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+++ else
+++ {
+++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
+++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+++
+++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
+++ if (!keyfile)
+++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
+++ else
+++ {
+++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
+++ if (keyfile_size == (grub_size_t)-1)
+++ grub_printf (N_("Error reading key file\n"));
+++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
+++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
+++ (unsigned long long) requested_keyfile_size,
+++ (unsigned long long) keyfile_size);
+++ else
+++ key = keyfile_buffer;
+++ }
+++ }
+++ }
+++
++ if (state[0].set)
++ {
++ grub_cryptodisk_t dev;
++diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
++index f4394eb42..da6aa6a63 100644
++--- a/grub-core/disk/geli.c
+++++ b/grub-core/disk/geli.c
++@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++
++ static grub_err_t
++ recover_key (grub_disk_t source, grub_cryptodisk_t dev,
++- grub_file_t hdr __attribute__ ((unused)) )
+++ grub_file_t hdr __attribute__ ((unused)),
+++ grub_uint8_t *key __attribute__ ((unused)),
+++ grub_size_t keyfile_size __attribute__ ((unused)) )
++ {
++ grub_size_t keysize;
++ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
++diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
++index 66e64c0e0..588236888 100644
++--- a/grub-core/disk/luks.c
+++++ b/grub-core/disk/luks.c
++@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ static grub_err_t
++ luks_recover_key (grub_disk_t source,
++ grub_cryptodisk_t dev,
++- grub_file_t hdr)
+++ grub_file_t hdr,
+++ grub_uint8_t *keyfile_bytes,
+++ grub_size_t keyfile_bytes_size)
++ {
++ struct grub_luks_phdr header;
++ grub_size_t keysize;
++ grub_uint8_t *split_key = NULL;
++- char passphrase[MAX_PASSPHRASE] = "";
+++ char interactive_passphrase[MAX_PASSPHRASE] = "";
+++ grub_uint8_t *passphrase;
+++ grub_size_t passphrase_length;
++ grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
++ unsigned i;
++ grub_size_t length;
++@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
++ if (!split_key)
++ return grub_errno;
++
++- /* Get the passphrase from the user. */
++- tmp = NULL;
++- if (source->partition)
++- tmp = grub_partition_get_name (source->partition);
++- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++- source->partition ? "," : "", tmp ? : "",
++- dev->uuid);
++- grub_free (tmp);
++- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+++ if (keyfile_bytes)
++ {
++- grub_free (split_key);
++- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+++ /* Use bytestring from key file as passphrase */
+++ passphrase = keyfile_bytes;
+++ passphrase_length = keyfile_bytes_size;
+++ }
+++ else
+++ {
+++ /* Get the passphrase from the user. */
+++ tmp = NULL;
+++ if (source->partition)
+++ tmp = grub_partition_get_name (source->partition);
+++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+++ source->partition ? "," : "", tmp ? : "", dev->uuid);
+++ grub_free (tmp);
+++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+++ {
+++ grub_free (split_key);
+++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+++ }
+++
+++ passphrase = (grub_uint8_t *)interactive_passphrase;
+++ passphrase_length = grub_strlen (interactive_passphrase);
+++
++ }
++
++ /* Try to recover master key from each active keyslot. */
++@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
++
++ /* Calculate the PBKDF2 of the user supplied passphrase. */
++ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
++- grub_strlen (passphrase),
+++ passphrase_length,
++ header.keyblock[i].passwordSalt,
++ sizeof (header.keyblock[i].passwordSalt),
++ grub_be_to_cpu32 (header.keyblock[i].
++diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
++index 4e6e89a93..67f6b0b59 100644
++--- a/include/grub/cryptodisk.h
+++++ b/include/grub/cryptodisk.h
++@@ -55,6 +55,8 @@ typedef enum
++ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
++ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
++
+++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+++
++ struct grub_cryptodisk;
++
++ typedef gcry_err_code_t
++@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev
++
++ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
++ int boot_only, grub_file_t hdr);
++- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
+++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
+++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
++ };
++ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
++
++--
++2.16.2
+
-+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
-+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
-+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
-+ else
-+ {
-+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
-+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
-+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
-+
-+ keyfile = grub_file_open (state[4].arg);
-+ if (!keyfile)
-+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
-+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
-+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
-+ else
-+ {
-+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
-+ if (keyfile_size == (grub_size_t)-1)
-+ grub_printf (N_("Error reading key file\n"));
-+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
-+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
-+ (unsigned long long) requested_keyfile_size,
-+ (unsigned long long) keyfile_size);
-+ else
-+ key = keyfile_buffer;
-+ }
-+ }
-+ }
-+
- if (state[0].set)
- {
- grub_cryptodisk_t dev;
-diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
-index f4394eb..da6aa6a 100644
---- a/grub-core/disk/geli.c
-+++ b/grub-core/disk/geli.c
-@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
-
- static grub_err_t
- recover_key (grub_disk_t source, grub_cryptodisk_t dev,
-- grub_file_t hdr __attribute__ ((unused)) )
-+ grub_file_t hdr __attribute__ ((unused)),
-+ grub_uint8_t *key __attribute__ ((unused)),
-+ grub_size_t keyfile_size __attribute__ ((unused)) )
- {
- grub_size_t keysize;
- grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 66e64c0..5882368 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- static grub_err_t
- luks_recover_key (grub_disk_t source,
- grub_cryptodisk_t dev,
-- grub_file_t hdr)
-+ grub_file_t hdr,
-+ grub_uint8_t *keyfile_bytes,
-+ grub_size_t keyfile_bytes_size)
- {
- struct grub_luks_phdr header;
- grub_size_t keysize;
- grub_uint8_t *split_key = NULL;
-- char passphrase[MAX_PASSPHRASE] = "";
-+ char interactive_passphrase[MAX_PASSPHRASE] = "";
-+ grub_uint8_t *passphrase;
-+ grub_size_t passphrase_length;
- grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
- unsigned i;
- grub_size_t length;
-@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
- if (!split_key)
- return grub_errno;
-
-- /* Get the passphrase from the user. */
-- tmp = NULL;
-- if (source->partition)
-- tmp = grub_partition_get_name (source->partition);
-- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
-- source->partition ? "," : "", tmp ? : "",
-- dev->uuid);
-- grub_free (tmp);
-- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
-+ if (keyfile_bytes)
- {
-- grub_free (split_key);
-- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-+ /* Use bytestring from key file as passphrase */
-+ passphrase = keyfile_bytes;
-+ passphrase_length = keyfile_bytes_size;
-+ }
-+ else
-+ {
-+ /* Get the passphrase from the user. */
-+ tmp = NULL;
-+ if (source->partition)
-+ tmp = grub_partition_get_name (source->partition);
-+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
-+ source->partition ? "," : "", tmp ? : "", dev->uuid);
-+ grub_free (tmp);
-+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
-+ {
-+ grub_free (split_key);
-+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-+ }
-+
-+ passphrase = (grub_uint8_t *)interactive_passphrase;
-+ passphrase_length = grub_strlen (interactive_passphrase);
-+
- }
-
- /* Try to recover master key from each active keyslot. */
-@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
-
- /* Calculate the PBKDF2 of the user supplied passphrase. */
- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-- grub_strlen (passphrase),
-+ passphrase_length,
- header.keyblock[i].passwordSalt,
- sizeof (header.keyblock[i].passwordSalt),
- grub_be_to_cpu32 (header.keyblock[i].
-diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
-index 16dee3c..0299625 100644
---- a/include/grub/cryptodisk.h
-+++ b/include/grub/cryptodisk.h
-@@ -55,6 +55,8 @@ typedef enum
- #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
- #define GRUB_CRYPTODISK_MAX_KEYLEN 128
-
-+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
-+
- struct grub_cryptodisk;
-
- typedef gcry_err_code_t
-@@ -108,7 +110,8 @@ struct grub_cryptodisk_dev
-
- grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
- int boot_only, grub_file_t hdr);
-- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
-+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
-+ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
- };
- typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
-
---
-2.1.2
-
diff --git a/helpers/DATA/grub2/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/helpers/DATA/grub2/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
index 5ed8b276d..f6df27454 100644
--- a/helpers/DATA/grub2/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
+++ b/helpers/DATA/grub2/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
@@ -1,329 +1,335 @@
-From 3e2ffefe1edbbd874ca18ac397a14465d1ac49be Mon Sep 17 00:00:00 2001
-From: John Lane <john@lane.uk.net>
-Date: Fri, 26 Jun 2015 13:49:58 +0100
-Subject: [PATCH 3/5] Cryptomount luks allow multiple passphrase attempts
-
----
- grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------
- 1 file changed, 143 insertions(+), 135 deletions(-)
-
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 5882368..11e437e 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
-
- static grub_err_t
- luks_recover_key (grub_disk_t source,
-- grub_cryptodisk_t dev,
-- grub_file_t hdr,
-- grub_uint8_t *keyfile_bytes,
-- grub_size_t keyfile_bytes_size)
-+ grub_cryptodisk_t dev,
-+ grub_file_t hdr,
-+ grub_uint8_t *keyfile_bytes,
-+ grub_size_t keyfile_bytes_size)
- {
- struct grub_luks_phdr header;
- grub_size_t keysize;
-@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source,
- grub_size_t max_stripes = 1;
- char *tmp;
- grub_uint32_t sector;
-+ unsigned attempts = 2;
-
- err = GRUB_ERR_NONE;
-
-@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source,
-
- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
- if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
-- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
-+ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
- max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
-
- split_key = grub_malloc (keysize * max_stripes);
- if (!split_key)
- return grub_errno;
-
-- if (keyfile_bytes)
-+ while (attempts)
- {
-- /* Use bytestring from key file as passphrase */
-- passphrase = keyfile_bytes;
-- passphrase_length = keyfile_bytes_size;
-- }
-- else
-- {
-- /* Get the passphrase from the user. */
-- tmp = NULL;
-- if (source->partition)
-- tmp = grub_partition_get_name (source->partition);
-- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
-- source->partition ? "," : "", tmp ? : "", dev->uuid);
-- grub_free (tmp);
-- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
-+ if (keyfile_bytes)
- {
-- grub_free (split_key);
-- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-- }
--
-- passphrase = (grub_uint8_t *)interactive_passphrase;
-- passphrase_length = grub_strlen (interactive_passphrase);
--
-- }
--
-- /* Try to recover master key from each active keyslot. */
-- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
-- {
-- gcry_err_code_t gcry_err;
-- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
-- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
--
-- /* Check if keyslot is enabled. */
-- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
-- continue;
--
-- grub_dprintf ("luks", "Trying keyslot %d\n", i);
--
-- /* Calculate the PBKDF2 of the user supplied passphrase. */
-- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-- passphrase_length,
-- header.keyblock[i].passwordSalt,
-- sizeof (header.keyblock[i].passwordSalt),
-- grub_be_to_cpu32 (header.keyblock[i].
-- passwordIterations),
-- digest, keysize);
--
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- grub_dprintf ("luks", "PBKDF2 done\n");
--
-- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
-- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
--
-- /* Read and decrypt the key material from the disk. */
-- if (hdr)
-- {
-- grub_file_seek (hdr, sector * 512);
-- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
-- err = GRUB_ERR_READ_ERROR;
-+ /* Use bytestring from key file as passphrase */
-+ passphrase = keyfile_bytes;
-+ passphrase_length = keyfile_bytes_size;
-+ keyfile_bytes = NULL; /* use it only once */
- }
- else
-- err = grub_disk_read (source, sector, 0, length, split_key);
-- if (err)
-- {
-- grub_free (split_key);
-- return err;
-- }
--
-- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- /* Merge the decrypted key material to get the candidate master key. */
-- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
-- grub_be_to_cpu32 (header.keyblock[i].stripes));
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- grub_dprintf ("luks", "candidate key recovered\n");
--
-- /* Calculate the PBKDF2 of the candidate master key. */
-- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
-- grub_be_to_cpu32 (header.keyBytes),
-- header.mkDigestSalt,
-- sizeof (header.mkDigestSalt),
-- grub_be_to_cpu32
-- (header.mkDigestIterations),
-- candidate_digest,
-- sizeof (candidate_digest));
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- /* Compare the calculated PBKDF2 to the digest stored
-- in the header to see if it's correct. */
-- if (grub_memcmp (candidate_digest, header.mkDigest,
-- sizeof (header.mkDigest)) != 0)
-- {
-- grub_dprintf ("luks", "bad digest\n");
-- continue;
-- }
-+ {
-+ /* Get the passphrase from the user. */
-+ tmp = NULL;
-+ if (source->partition)
-+ tmp = grub_partition_get_name (source->partition);
-+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
-+ source->partition ? "," : "", tmp ? : "", dev->uuid);
-+ grub_free (tmp);
-+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
-+ {
-+ grub_free (split_key);
-+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-+ }
+diff --git a/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
+new file mode 100644
+index 00000000000..19ffed89ca8
+--- /dev/null
++++ b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
+@@ -0,0 +1,329 @@
++From d055c1e314fa37957f169e08bea9d19c4417ed21 Mon Sep 17 00:00:00 2001
++From: John Lane <john@lane.uk.net>
++Date: Fri, 26 Jun 2015 13:49:58 +0100
++Subject: [PATCH 3/7] cryptomount luks allow multiple passphrase attempts
+
-+ passphrase = (grub_uint8_t *)interactive_passphrase;
-+ passphrase_length = grub_strlen (interactive_passphrase);
-
-- /* TRANSLATORS: It's a cryptographic key slot: one element of an array
-- where each element is either empty or holds a key. */
-- grub_printf_ (N_("Slot %d opened\n"), i);
-+ }
-
-- /* Set the master key. */
-- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
-+ /* Try to recover master key from each active keyslot. */
-+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
-+ {
-+ gcry_err_code_t gcry_err;
-+ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
-+ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
++---
++ grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------
++ 1 file changed, 143 insertions(+), 135 deletions(-)
+
-+ /* Check if keyslot is enabled. */
-+ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
-+ continue;
++diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
++index 588236888..11e437edb 100644
++--- a/grub-core/disk/luks.c
+++++ b/grub-core/disk/luks.c
++@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++
++ static grub_err_t
++ luks_recover_key (grub_disk_t source,
++- grub_cryptodisk_t dev,
++- grub_file_t hdr,
++- grub_uint8_t *keyfile_bytes,
++- grub_size_t keyfile_bytes_size)
+++ grub_cryptodisk_t dev,
+++ grub_file_t hdr,
+++ grub_uint8_t *keyfile_bytes,
+++ grub_size_t keyfile_bytes_size)
++ {
++ struct grub_luks_phdr header;
++ grub_size_t keysize;
++@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source,
++ grub_size_t max_stripes = 1;
++ char *tmp;
++ grub_uint32_t sector;
+++ unsigned attempts = 2;
++
++ err = GRUB_ERR_NONE;
++
++@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source,
++
++ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
++ if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
++- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
+++ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
++ max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
++
++ split_key = grub_malloc (keysize * max_stripes);
++ if (!split_key)
++ return grub_errno;
++
++- if (keyfile_bytes)
+++ while (attempts)
++ {
++- /* Use bytestring from key file as passphrase */
++- passphrase = keyfile_bytes;
++- passphrase_length = keyfile_bytes_size;
++- }
++- else
++- {
++- /* Get the passphrase from the user. */
++- tmp = NULL;
++- if (source->partition)
++- tmp = grub_partition_get_name (source->partition);
++- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++- source->partition ? "," : "", tmp ? : "", dev->uuid);
++- grub_free (tmp);
++- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+++ if (keyfile_bytes)
++ {
++- grub_free (split_key);
++- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++- }
++-
++- passphrase = (grub_uint8_t *)interactive_passphrase;
++- passphrase_length = grub_strlen (interactive_passphrase);
++-
++- }
++-
++- /* Try to recover master key from each active keyslot. */
++- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
++- {
++- gcry_err_code_t gcry_err;
++- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
++- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
++-
++- /* Check if keyslot is enabled. */
++- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
++- continue;
++-
++- grub_dprintf ("luks", "Trying keyslot %d\n", i);
++-
++- /* Calculate the PBKDF2 of the user supplied passphrase. */
++- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
++- passphrase_length,
++- header.keyblock[i].passwordSalt,
++- sizeof (header.keyblock[i].passwordSalt),
++- grub_be_to_cpu32 (header.keyblock[i].
++- passwordIterations),
++- digest, keysize);
++-
++- if (gcry_err)
++- {
++- grub_free (split_key);
++- return grub_crypto_gcry_error (gcry_err);
++- }
++-
++- grub_dprintf ("luks", "PBKDF2 done\n");
++-
++- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
++- if (gcry_err)
++- {
++- grub_free (split_key);
++- return grub_crypto_gcry_error (gcry_err);
++- }
++-
++- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
++- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
++-
++- /* Read and decrypt the key material from the disk. */
++- if (hdr)
++- {
++- grub_file_seek (hdr, sector * 512);
++- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
++- err = GRUB_ERR_READ_ERROR;
+++ /* Use bytestring from key file as passphrase */
+++ passphrase = keyfile_bytes;
+++ passphrase_length = keyfile_bytes_size;
+++ keyfile_bytes = NULL; /* use it only once */
++ }
++ else
++- err = grub_disk_read (source, sector, 0, length, split_key);
++- if (err)
++- {
++- grub_free (split_key);
++- return err;
++- }
++-
++- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
++- if (gcry_err)
++- {
++- grub_free (split_key);
++- return grub_crypto_gcry_error (gcry_err);
++- }
++-
++- /* Merge the decrypted key material to get the candidate master key. */
++- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
++- grub_be_to_cpu32 (header.keyblock[i].stripes));
++- if (gcry_err)
++- {
++- grub_free (split_key);
++- return grub_crypto_gcry_error (gcry_err);
++- }
++-
++- grub_dprintf ("luks", "candidate key recovered\n");
++-
++- /* Calculate the PBKDF2 of the candidate master key. */
++- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
++- grub_be_to_cpu32 (header.keyBytes),
++- header.mkDigestSalt,
++- sizeof (header.mkDigestSalt),
++- grub_be_to_cpu32
++- (header.mkDigestIterations),
++- candidate_digest,
++- sizeof (candidate_digest));
++- if (gcry_err)
++- {
++- grub_free (split_key);
++- return grub_crypto_gcry_error (gcry_err);
++- }
++-
++- /* Compare the calculated PBKDF2 to the digest stored
++- in the header to see if it's correct. */
++- if (grub_memcmp (candidate_digest, header.mkDigest,
++- sizeof (header.mkDigest)) != 0)
++- {
++- grub_dprintf ("luks", "bad digest\n");
++- continue;
++- }
+++ {
+++ /* Get the passphrase from the user. */
+++ tmp = NULL;
+++ if (source->partition)
+++ tmp = grub_partition_get_name (source->partition);
+++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+++ source->partition ? "," : "", tmp ? : "", dev->uuid);
+++ grub_free (tmp);
+++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+++ {
+++ grub_free (split_key);
+++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+++ }
+++
+++ passphrase = (grub_uint8_t *)interactive_passphrase;
+++ passphrase_length = grub_strlen (interactive_passphrase);
++
++- /* TRANSLATORS: It's a cryptographic key slot: one element of an array
++- where each element is either empty or holds a key. */
++- grub_printf_ (N_("Slot %d opened\n"), i);
+++ }
++
++- /* Set the master key. */
++- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
++- if (gcry_err)
++- {
++- grub_free (split_key);
++- return grub_crypto_gcry_error (gcry_err);
++- }
+++ /* Try to recover master key from each active keyslot. */
+++ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
+++ {
+++ gcry_err_code_t gcry_err;
+++ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+++ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
+++
+++ /* Check if keyslot is enabled. */
+++ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
+++ continue;
+++
+++ grub_dprintf ("luks", "Trying keyslot %d\n", i);
+++
+++ /* Calculate the PBKDF2 of the user supplied passphrase. */
+++ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+++ passphrase_length,
+++ header.keyblock[i].passwordSalt,
+++ sizeof (header.keyblock[i].passwordSalt),
+++ grub_be_to_cpu32 (header.keyblock[i].
+++ passwordIterations),
+++ digest, keysize);
+++
+++ if (gcry_err)
+++ {
+++ grub_free (split_key);
+++ return grub_crypto_gcry_error (gcry_err);
+++ }
+++
+++ grub_dprintf ("luks", "PBKDF2 done\n");
+++
+++ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
+++ if (gcry_err)
+++ {
+++ grub_free (split_key);
+++ return grub_crypto_gcry_error (gcry_err);
+++ }
+++
+++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+++ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+++
+++ /* Read and decrypt the key material from the disk. */
+++ if (hdr)
+++ {
+++ grub_file_seek (hdr, sector * 512);
+++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+++ err = GRUB_ERR_READ_ERROR;
+++ }
+++ else
+++ err = grub_disk_read (source, sector, 0, length, split_key);
+++ if (err)
+++ {
+++ grub_free (split_key);
+++ return err;
+++ }
+++
+++ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
+++ if (gcry_err)
+++ {
+++ grub_free (split_key);
+++ return grub_crypto_gcry_error (gcry_err);
+++ }
+++
+++ /* Merge the decrypted key material to get the candidate master key. */
+++ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
+++ grub_be_to_cpu32 (header.keyblock[i].stripes));
+++ if (gcry_err)
+++ {
+++ grub_free (split_key);
+++ return grub_crypto_gcry_error (gcry_err);
+++ }
+++
+++ grub_dprintf ("luks", "candidate key recovered\n");
+++
+++ /* Calculate the PBKDF2 of the candidate master key. */
+++ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
+++ grub_be_to_cpu32 (header.keyBytes),
+++ header.mkDigestSalt,
+++ sizeof (header.mkDigestSalt),
+++ grub_be_to_cpu32
+++ (header.mkDigestIterations),
+++ candidate_digest,
+++ sizeof (candidate_digest));
+++ if (gcry_err)
+++ {
+++ grub_free (split_key);
+++ return grub_crypto_gcry_error (gcry_err);
+++ }
+++
+++ /* Compare the calculated PBKDF2 to the digest stored
+++ in the header to see if it's correct. */
+++ if (grub_memcmp (candidate_digest, header.mkDigest,
+++ sizeof (header.mkDigest)) != 0)
+++ {
+++ grub_dprintf ("luks", "bad digest\n");
+++ continue;
+++ }
+++
+++ /* TRANSLATORS: It's a cryptographic key slot: one element of an array
+++ where each element is either empty or holds a key. */
+++ grub_printf_ (N_("Slot %d opened\n"), i);
+++
+++ /* Set the master key. */
+++ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
+++ if (gcry_err)
+++ {
+++ grub_free (split_key);
+++ return grub_crypto_gcry_error (gcry_err);
+++ }
++
++- grub_free (split_key);
+++ grub_free (split_key);
++
++- return GRUB_ERR_NONE;
+++ return GRUB_ERR_NONE;
+++ }
+++ grub_printf_ (N_("Failed to decrypt master key.\n"));
+++ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts,
+++ (attempts==1) ? "" : "s");
++ }
++
++ grub_free (split_key);
++--
++2.16.2
+
-+ grub_dprintf ("luks", "Trying keyslot %d\n", i);
-+
-+ /* Calculate the PBKDF2 of the user supplied passphrase. */
-+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-+ passphrase_length,
-+ header.keyblock[i].passwordSalt,
-+ sizeof (header.keyblock[i].passwordSalt),
-+ grub_be_to_cpu32 (header.keyblock[i].
-+ passwordIterations),
-+ digest, keysize);
-+
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ grub_dprintf ("luks", "PBKDF2 done\n");
-+
-+ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
-+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
-+
-+ /* Read and decrypt the key material from the disk. */
-+ if (hdr)
-+ {
-+ grub_file_seek (hdr, sector * 512);
-+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
-+ err = GRUB_ERR_READ_ERROR;
-+ }
-+ else
-+ err = grub_disk_read (source, sector, 0, length, split_key);
-+ if (err)
-+ {
-+ grub_free (split_key);
-+ return err;
-+ }
-+
-+ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ /* Merge the decrypted key material to get the candidate master key. */
-+ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
-+ grub_be_to_cpu32 (header.keyblock[i].stripes));
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ grub_dprintf ("luks", "candidate key recovered\n");
-+
-+ /* Calculate the PBKDF2 of the candidate master key. */
-+ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
-+ grub_be_to_cpu32 (header.keyBytes),
-+ header.mkDigestSalt,
-+ sizeof (header.mkDigestSalt),
-+ grub_be_to_cpu32
-+ (header.mkDigestIterations),
-+ candidate_digest,
-+ sizeof (candidate_digest));
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ /* Compare the calculated PBKDF2 to the digest stored
-+ in the header to see if it's correct. */
-+ if (grub_memcmp (candidate_digest, header.mkDigest,
-+ sizeof (header.mkDigest)) != 0)
-+ {
-+ grub_dprintf ("luks", "bad digest\n");
-+ continue;
-+ }
-+
-+ /* TRANSLATORS: It's a cryptographic key slot: one element of an array
-+ where each element is either empty or holds a key. */
-+ grub_printf_ (N_("Slot %d opened\n"), i);
-+
-+ /* Set the master key. */
-+ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-
-- grub_free (split_key);
-+ grub_free (split_key);
-
-- return GRUB_ERR_NONE;
-+ return GRUB_ERR_NONE;
-+ }
-+ grub_printf_ (N_("Failed to decrypt master key.\n"));
-+ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts,
-+ (attempts==1) ? "" : "s");
- }
-
- grub_free (split_key);
---
-2.1.2
-
diff --git a/helpers/DATA/grub2/0004-Cryptomount-support-plain-dm-crypt.patch b/helpers/DATA/grub2/0004-Cryptomount-support-plain-dm-crypt.patch
index 34c10d721..325186e06 100644
--- a/helpers/DATA/grub2/0004-Cryptomount-support-plain-dm-crypt.patch
+++ b/helpers/DATA/grub2/0004-Cryptomount-support-plain-dm-crypt.patch
@@ -1,644 +1,650 @@
-From a8f9e3dcece89c179e89414abe89985c7ab1e03f Mon Sep 17 00:00:00 2001
-From: John Lane <john@lane.uk.net>
-Date: Fri, 26 Jun 2015 22:09:52 +0100
-Subject: [PATCH 4/7] Cryptomount support plain dm-crypt
-
-Patch modified to take into account a change to context
-brought about by c93d3e694713b8230fa2cf88414fabe005b56782
-
-grub-core/disk/cryptodisk.c
-142c142
-< if (disklast)
----
->
----
- grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++-
- grub-core/disk/luks.c | 195 +----------------------------
- include/grub/cryptodisk.h | 8 ++
- 3 files changed, 310 insertions(+), 191 deletions(-)
-
-diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index 5261af547..7f656f75c 100644
---- a/grub-core/disk/cryptodisk.c
-+++ b/grub-core/disk/cryptodisk.c
-@@ -45,6 +45,12 @@ static const struct grub_arg_option options[] =
- {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
- {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
- {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
-+ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE},
-+ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING},
-+ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING},
-+ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT},
-+ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT},
-+ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT},
- {0, 0, 0, 0, 0, 0}
- };
-
-@@ -933,6 +939,48 @@ grub_cryptodisk_scan_device (const char *name,
- return have_it && search_uuid ? 1 : 0;
- }
-
-+/* Hashes a passphrase into a key and stores it with cipher. */
-+static gcry_err_code_t
-+set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase)
-+{
-+ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash;
-+ char *p;
-+ unsigned int round, i;
-+ unsigned int len, size;
+diff --git a/0004-Cryptomount-support-plain-dm-crypt.patch b/0004-Cryptomount-support-plain-dm-crypt.patch
+new file mode 100644
+index 00000000000..34c10d7216b
+--- /dev/null
++++ b/0004-Cryptomount-support-plain-dm-crypt.patch
+@@ -0,0 +1,644 @@
++From a8f9e3dcece89c179e89414abe89985c7ab1e03f Mon Sep 17 00:00:00 2001
++From: John Lane <john@lane.uk.net>
++Date: Fri, 26 Jun 2015 22:09:52 +0100
++Subject: [PATCH 4/7] Cryptomount support plain dm-crypt
++
++Patch modified to take into account a change to context
++brought about by c93d3e694713b8230fa2cf88414fabe005b56782
++
++grub-core/disk/cryptodisk.c
++142c142
++< if (disklast)
++---
++>
++---
++ grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++-
++ grub-core/disk/luks.c | 195 +----------------------------
++ include/grub/cryptodisk.h | 8 ++
++ 3 files changed, 310 insertions(+), 191 deletions(-)
++
++diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
++index 5261af547..7f656f75c 100644
++--- a/grub-core/disk/cryptodisk.c
+++++ b/grub-core/disk/cryptodisk.c
++@@ -45,6 +45,12 @@ static const struct grub_arg_option options[] =
++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
+++ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE},
+++ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING},
+++ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING},
+++ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT},
+++ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT},
+++ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT},
++ {0, 0, 0, 0, 0, 0}
++ };
++
++@@ -933,6 +939,48 @@ grub_cryptodisk_scan_device (const char *name,
++ return have_it && search_uuid ? 1 : 0;
++ }
++
+++/* Hashes a passphrase into a key and stores it with cipher. */
+++static gcry_err_code_t
+++set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase)
+++{
+++ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash;
+++ char *p;
+++ unsigned int round, i;
+++ unsigned int len, size;
+++
+++ /* Need no passphrase if there's no key */
+++ if (keysize == 0)
+++ return GPG_ERR_INV_KEYLEN;
+++
+++ /* Hack to support the "none" hash */
+++ if (dev->hash)
+++ len = dev->hash->mdlen;
+++ else
+++ len = grub_strlen (passphrase);
+++
+++ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN)
+++ return GPG_ERR_INV_KEYLEN;
+++
+++ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len);
+++ if (!p)
+++ return grub_errno;
+++
+++ for (round = 0, size = keysize; size; round++, dh += len, size -= len)
+++ {
+++ for (i = 0; i < round; i++)
+++ p[i] = 'A';
+++
+++ grub_strcpy (p + i, passphrase);
+++
+++ if (len > size)
+++ len = size;
+++
+++ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p));
+++ }
+++
+++ return grub_cryptodisk_setkey (dev, derived_hash, keysize);
+++}
+++
++ static grub_err_t
++ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
++ {
++@@ -1060,7 +1108,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
++ return GRUB_ERR_NONE;
++ }
++
++- err = grub_cryptodisk_scan_device_real (diskname, disk);
+++ if (state[7].set) /* Plain mode */
+++ {
+++ char *cipher;
+++ char *mode;
+++ char *digest;
+++ int offset, size, key_size;
+++
+++ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER);
+++ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST);
+++ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0;
+++ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0;
+++ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \
+++ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8;
+++
+++ /* no strtok, do it manually */
+++ mode = grub_strchr(cipher,'-');
+++ if (!mode)
+++ return GRUB_ERR_BAD_ARGUMENT;
+++ else
+++ *mode++ = 0;
+++
+++ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest);
+++
+++ dev->offset = offset;
+++ if (size) dev->total_length = size;
+++
+++ if (key)
+++ {
+++ err = grub_cryptodisk_setkey (dev, key, key_size);
+++ if (err)
+++ return err;
+++ }
+++ else
+++ {
+++ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
+++
+++ grub_printf_ (N_("Enter passphrase for %s: "), diskname);
+++ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
+++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+++
+++ err = set_passphrase (dev, key_size, passphrase);
+++ if (err)
+++ {
+++ grub_crypto_cipher_close (dev->cipher);
+++ return err;
+++ }
+++ }
+++
+++ grub_cryptodisk_insert (dev, diskname, disk);
+++
+++ grub_free (cipher);
+++ grub_free (digest);
+++
+++ err = GRUB_ERR_NONE;
+++ }
+++ else
+++ err = grub_cryptodisk_scan_device_real (diskname, disk);
++
++ grub_disk_close (disk);
++ if (disklast)
++@@ -1193,13 +1297,203 @@ struct grub_procfs_entry luks_script =
++ .get_contents = luks_script_get
++ };
++
+++grub_cryptodisk_t
+++grub_cryptodisk_create (grub_disk_t disk, char *uuid,
+++ char *ciphername, char *ciphermode, char *hashspec)
+++{
+++ grub_cryptodisk_t newdev;
+++ char *cipheriv = NULL;
+++ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
+++ grub_crypto_cipher_handle_t essiv_cipher = NULL;
+++ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
+++ const struct gcry_cipher_spec *ciph;
+++ grub_cryptodisk_mode_t mode;
+++ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
+++ int benbi_log = 0;
+++
+++ if (!uuid)
+++ uuid = (char*)"00000000000000000000000000000000";
+++
+++ ciph = grub_crypto_lookup_cipher_by_name (ciphername);
+++ if (!ciph)
+++ {
+++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
+++ ciphername);
+++ return NULL;
+++ }
+++
+++ /* Configure the cipher used for the bulk data. */
+++ cipher = grub_crypto_cipher_open (ciph);
+++ if (!cipher)
+++ return NULL;
+++
+++ /* Configure the cipher mode. */
+++ if (grub_strcmp (ciphermode, "ecb") == 0)
+++ {
+++ mode = GRUB_CRYPTODISK_MODE_ECB;
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
+++ cipheriv = NULL;
+++ }
+++ else if (grub_strcmp (ciphermode, "plain") == 0)
+++ {
+++ mode = GRUB_CRYPTODISK_MODE_CBC;
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
+++ cipheriv = NULL;
+++ }
+++ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
+++ {
+++ mode = GRUB_CRYPTODISK_MODE_CBC;
+++ cipheriv = ciphermode + sizeof ("cbc-") - 1;
+++ }
+++ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
+++ {
+++ mode = GRUB_CRYPTODISK_MODE_PCBC;
+++ cipheriv = ciphermode + sizeof ("pcbc-") - 1;
+++ }
+++ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
+++ {
+++ mode = GRUB_CRYPTODISK_MODE_XTS;
+++ cipheriv = ciphermode + sizeof ("xts-") - 1;
+++ secondary_cipher = grub_crypto_cipher_open (ciph);
+++ if (!secondary_cipher)
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ return NULL;
+++ }
+++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
+++ {
+++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
+++ cipher->cipher->blocksize);
+++ grub_crypto_cipher_close (cipher);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ return NULL;
+++ }
+++ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
+++ secondary_cipher->cipher->blocksize);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ return NULL;
+++ }
+++ }
+++ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
+++ {
+++ mode = GRUB_CRYPTODISK_MODE_LRW;
+++ cipheriv = ciphermode + sizeof ("lrw-") - 1;
+++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
+++ {
+++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
+++ cipher->cipher->blocksize);
+++ grub_crypto_cipher_close (cipher);
+++ return NULL;
+++ }
+++ }
+++ else
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
+++ ciphermode);
+++ return NULL;
+++ }
+++
+++ if (cipheriv == NULL);
+++ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
+++ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
+++ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
+++ {
+++ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
+++ || cipher->cipher->blocksize == 0)
+++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
+++ cipher->cipher->blocksize);
+++ /* FIXME should we return an error here? */
+++ for (benbi_log = 0;
+++ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
+++ benbi_log++);
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
+++ }
+++ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
+++ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
+++ {
+++ char *hash_str = cipheriv + 6;
+++
+++ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
+++
+++ /* Configure the hash and cipher used for ESSIV. */
+++ essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
+++ if (!essiv_hash)
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ grub_error (GRUB_ERR_FILE_NOT_FOUND,
+++ "Couldn't load %s hash", hash_str);
+++ return NULL;
+++ }
+++ essiv_cipher = grub_crypto_cipher_open (ciph);
+++ if (!essiv_cipher)
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ return NULL;
+++ }
+++ }
+++ else
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
+++ cipheriv);
+++ return NULL;
+++ }
+++
+++ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */
+++ hash = grub_crypto_lookup_md_by_name (hashspec);
+++ if (!hash)
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_crypto_cipher_close (essiv_cipher);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
+++ hashspec);
+++ return NULL;
+++ }
+++
+++ newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
+++ if (!newdev)
+++ {
+++ grub_crypto_cipher_close (cipher);
+++ grub_crypto_cipher_close (essiv_cipher);
+++ grub_crypto_cipher_close (secondary_cipher);
+++ return NULL;
+++ }
+++ newdev->cipher = cipher;
+++ newdev->offset = 0;
+++ newdev->source_disk = NULL;
+++ newdev->benbi_log = benbi_log;
+++ newdev->mode = mode;
+++ newdev->mode_iv = mode_iv;
+++ newdev->secondary_cipher = secondary_cipher;
+++ newdev->essiv_cipher = essiv_cipher;
+++ newdev->essiv_hash = essiv_hash;
+++ newdev->hash = hash;
+++ newdev->log_sector_size = 9;
+++ newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
+++ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+++ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
+++
+++ return newdev;
+++}
+++
++ static grub_extcmd_t cmd;
++
++ GRUB_MOD_INIT (cryptodisk)
++ {
++ grub_disk_dev_register (&grub_cryptodisk_dev);
++ cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
++- N_("SOURCE|-u UUID|-a|-b|-H file"),
+++ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"),
++ N_("Mount a crypto device."), options);
++ grub_procfs_register ("luks_script", &luks_script);
++ }
++diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
++index 11e437edb..4ebe21b4e 100644
++--- a/grub-core/disk/luks.c
+++++ b/grub-core/disk/luks.c
++@@ -30,8 +30,6 @@
++
++ GRUB_MOD_LICENSE ("GPLv3+");
++
++-#define MAX_PASSPHRASE 256
++-
++ #define LUKS_KEY_ENABLED 0x00AC71F3
++
++ /* On disk LUKS header */
++@@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ char uuid[sizeof (header.uuid) + 1];
++ char ciphername[sizeof (header.cipherName) + 1];
++ char ciphermode[sizeof (header.cipherMode) + 1];
++- char *cipheriv = NULL;
++ char hashspec[sizeof (header.hashSpec) + 1];
++- grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
++- grub_crypto_cipher_handle_t essiv_cipher = NULL;
++- const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
++- const struct gcry_cipher_spec *ciph;
++- grub_cryptodisk_mode_t mode;
++- grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
++- int benbi_log = 0;
++ grub_err_t err;
++
++ err = GRUB_ERR_NONE;
++@@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ iptr++)
++ {
++ if (*iptr != '-')
++- *optr++ = *iptr;
+++ *optr++ = *iptr;
++ }
++ *optr = 0;
++
++@@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ return NULL;
++ }
++
+++
++ /* Make sure that strings are null terminated. */
++ grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
++ ciphername[sizeof (header.cipherName)] = 0;
++@@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
++ hashspec[sizeof (header.hashSpec)] = 0;
++
++- ciph = grub_crypto_lookup_cipher_by_name (ciphername);
++- if (!ciph)
++- {
++- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
++- ciphername);
++- return NULL;
++- }
++-
++- /* Configure the cipher used for the bulk data. */
++- cipher = grub_crypto_cipher_open (ciph);
++- if (!cipher)
++- return NULL;
++-
++- if (grub_be_to_cpu32 (header.keyBytes) > 1024)
++- {
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
++- grub_be_to_cpu32 (header.keyBytes));
++- grub_crypto_cipher_close (cipher);
++- return NULL;
++- }
++-
++- /* Configure the cipher mode. */
++- if (grub_strcmp (ciphermode, "ecb") == 0)
++- {
++- mode = GRUB_CRYPTODISK_MODE_ECB;
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
++- cipheriv = NULL;
++- }
++- else if (grub_strcmp (ciphermode, "plain") == 0)
++- {
++- mode = GRUB_CRYPTODISK_MODE_CBC;
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
++- cipheriv = NULL;
++- }
++- else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
++- {
++- mode = GRUB_CRYPTODISK_MODE_CBC;
++- cipheriv = ciphermode + sizeof ("cbc-") - 1;
++- }
++- else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
++- {
++- mode = GRUB_CRYPTODISK_MODE_PCBC;
++- cipheriv = ciphermode + sizeof ("pcbc-") - 1;
++- }
++- else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
++- {
++- mode = GRUB_CRYPTODISK_MODE_XTS;
++- cipheriv = ciphermode + sizeof ("xts-") - 1;
++- secondary_cipher = grub_crypto_cipher_open (ciph);
++- if (!secondary_cipher)
++- {
++- grub_crypto_cipher_close (cipher);
++- return NULL;
++- }
++- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
++- {
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
++- cipher->cipher->blocksize);
++- grub_crypto_cipher_close (cipher);
++- grub_crypto_cipher_close (secondary_cipher);
++- return NULL;
++- }
++- if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
++- secondary_cipher->cipher->blocksize);
++- grub_crypto_cipher_close (secondary_cipher);
++- return NULL;
++- }
++- }
++- else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
++- {
++- mode = GRUB_CRYPTODISK_MODE_LRW;
++- cipheriv = ciphermode + sizeof ("lrw-") - 1;
++- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
++- {
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
++- cipher->cipher->blocksize);
++- grub_crypto_cipher_close (cipher);
++- return NULL;
++- }
++- }
++- else
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
++- ciphermode);
++- return NULL;
++- }
++-
++- if (cipheriv == NULL);
++- else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
++- else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
++- else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
++- {
++- if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
++- || cipher->cipher->blocksize == 0)
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
++- cipher->cipher->blocksize);
++- /* FIXME should we return an error here? */
++- for (benbi_log = 0;
++- (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
++- benbi_log++);
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
++- }
++- else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
++- else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
++- {
++- char *hash_str = cipheriv + 6;
++-
++- mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
++-
++- /* Configure the hash and cipher used for ESSIV. */
++- essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
++- if (!essiv_hash)
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_crypto_cipher_close (secondary_cipher);
++- grub_error (GRUB_ERR_FILE_NOT_FOUND,
++- "Couldn't load %s hash", hash_str);
++- return NULL;
++- }
++- essiv_cipher = grub_crypto_cipher_open (ciph);
++- if (!essiv_cipher)
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_crypto_cipher_close (secondary_cipher);
++- return NULL;
++- }
++- }
++- else
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_crypto_cipher_close (secondary_cipher);
++- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
++- cipheriv);
++- return NULL;
++- }
++-
++- /* Configure the hash used for the AF splitter and HMAC. */
++- hash = grub_crypto_lookup_md_by_name (hashspec);
++- if (!hash)
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_crypto_cipher_close (essiv_cipher);
++- grub_crypto_cipher_close (secondary_cipher);
++- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
++- hashspec);
++- return NULL;
++- }
+++ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
++
++- newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
++- if (!newdev)
++- {
++- grub_crypto_cipher_close (cipher);
++- grub_crypto_cipher_close (essiv_cipher);
++- grub_crypto_cipher_close (secondary_cipher);
++- return NULL;
++- }
++- newdev->cipher = cipher;
++ newdev->offset = grub_be_to_cpu32 (header.payloadOffset);
++- newdev->source_disk = NULL;
++- newdev->benbi_log = benbi_log;
++- newdev->mode = mode;
++- newdev->mode_iv = mode_iv;
++- newdev->secondary_cipher = secondary_cipher;
++- newdev->essiv_cipher = essiv_cipher;
++- newdev->essiv_hash = essiv_hash;
++- newdev->hash = hash;
++- newdev->log_sector_size = 9;
++- newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
++- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
++ newdev->modname = "luks";
++- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
++
++ return newdev;
++ }
++@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source,
++ struct grub_luks_phdr header;
++ grub_size_t keysize;
++ grub_uint8_t *split_key = NULL;
++- char interactive_passphrase[MAX_PASSPHRASE] = "";
+++ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
++ grub_uint8_t *passphrase;
++ grub_size_t passphrase_length;
++ grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
++@@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source,
++ /* Use bytestring from key file as passphrase */
++ passphrase = keyfile_bytes;
++ passphrase_length = keyfile_bytes_size;
++- keyfile_bytes = NULL; /* use it only once */
+++ keyfile_bytes = NULL; /* use it only once */
++ }
++ else
++ {
++@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source,
++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++ source->partition ? "," : "", tmp ? : "", dev->uuid);
++ grub_free (tmp);
++- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+++ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
++ {
++ grub_free (split_key);
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
++index 67f6b0b59..bb25ab730 100644
++--- a/include/grub/cryptodisk.h
+++++ b/include/grub/cryptodisk.h
++@@ -54,9 +54,14 @@ typedef enum
++ #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)
++ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
++ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
+++#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
++
++ #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
++
+++#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256"
+++#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160"
+++#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256
+++
++ struct grub_cryptodisk;
++
++ typedef gcry_err_code_t
++@@ -160,4 +165,7 @@ grub_util_get_geli_uuid (const char *dev);
++ grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
++ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
++
+++grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
+++ char *ciphername, char *ciphermode, char *digest);
+++
++ #endif
++--
++2.16.2
+
-+ /* Need no passphrase if there's no key */
-+ if (keysize == 0)
-+ return GPG_ERR_INV_KEYLEN;
-+
-+ /* Hack to support the "none" hash */
-+ if (dev->hash)
-+ len = dev->hash->mdlen;
-+ else
-+ len = grub_strlen (passphrase);
-+
-+ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN)
-+ return GPG_ERR_INV_KEYLEN;
-+
-+ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len);
-+ if (!p)
-+ return grub_errno;
-+
-+ for (round = 0, size = keysize; size; round++, dh += len, size -= len)
-+ {
-+ for (i = 0; i < round; i++)
-+ p[i] = 'A';
-+
-+ grub_strcpy (p + i, passphrase);
-+
-+ if (len > size)
-+ len = size;
-+
-+ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p));
-+ }
-+
-+ return grub_cryptodisk_setkey (dev, derived_hash, keysize);
-+}
-+
- static grub_err_t
- grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
- {
-@@ -1060,7 +1108,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
- return GRUB_ERR_NONE;
- }
-
-- err = grub_cryptodisk_scan_device_real (diskname, disk);
-+ if (state[7].set) /* Plain mode */
-+ {
-+ char *cipher;
-+ char *mode;
-+ char *digest;
-+ int offset, size, key_size;
-+
-+ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER);
-+ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST);
-+ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0;
-+ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0;
-+ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \
-+ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8;
-+
-+ /* no strtok, do it manually */
-+ mode = grub_strchr(cipher,'-');
-+ if (!mode)
-+ return GRUB_ERR_BAD_ARGUMENT;
-+ else
-+ *mode++ = 0;
-+
-+ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest);
-+
-+ dev->offset = offset;
-+ if (size) dev->total_length = size;
-+
-+ if (key)
-+ {
-+ err = grub_cryptodisk_setkey (dev, key, key_size);
-+ if (err)
-+ return err;
-+ }
-+ else
-+ {
-+ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
-+
-+ grub_printf_ (N_("Enter passphrase for %s: "), diskname);
-+ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
-+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-+
-+ err = set_passphrase (dev, key_size, passphrase);
-+ if (err)
-+ {
-+ grub_crypto_cipher_close (dev->cipher);
-+ return err;
-+ }
-+ }
-+
-+ grub_cryptodisk_insert (dev, diskname, disk);
-+
-+ grub_free (cipher);
-+ grub_free (digest);
-+
-+ err = GRUB_ERR_NONE;
-+ }
-+ else
-+ err = grub_cryptodisk_scan_device_real (diskname, disk);
-
- grub_disk_close (disk);
- if (disklast)
-@@ -1193,13 +1297,203 @@ struct grub_procfs_entry luks_script =
- .get_contents = luks_script_get
- };
-
-+grub_cryptodisk_t
-+grub_cryptodisk_create (grub_disk_t disk, char *uuid,
-+ char *ciphername, char *ciphermode, char *hashspec)
-+{
-+ grub_cryptodisk_t newdev;
-+ char *cipheriv = NULL;
-+ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
-+ grub_crypto_cipher_handle_t essiv_cipher = NULL;
-+ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
-+ const struct gcry_cipher_spec *ciph;
-+ grub_cryptodisk_mode_t mode;
-+ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
-+ int benbi_log = 0;
-+
-+ if (!uuid)
-+ uuid = (char*)"00000000000000000000000000000000";
-+
-+ ciph = grub_crypto_lookup_cipher_by_name (ciphername);
-+ if (!ciph)
-+ {
-+ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
-+ ciphername);
-+ return NULL;
-+ }
-+
-+ /* Configure the cipher used for the bulk data. */
-+ cipher = grub_crypto_cipher_open (ciph);
-+ if (!cipher)
-+ return NULL;
-+
-+ /* Configure the cipher mode. */
-+ if (grub_strcmp (ciphermode, "ecb") == 0)
-+ {
-+ mode = GRUB_CRYPTODISK_MODE_ECB;
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
-+ cipheriv = NULL;
-+ }
-+ else if (grub_strcmp (ciphermode, "plain") == 0)
-+ {
-+ mode = GRUB_CRYPTODISK_MODE_CBC;
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
-+ cipheriv = NULL;
-+ }
-+ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
-+ {
-+ mode = GRUB_CRYPTODISK_MODE_CBC;
-+ cipheriv = ciphermode + sizeof ("cbc-") - 1;
-+ }
-+ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
-+ {
-+ mode = GRUB_CRYPTODISK_MODE_PCBC;
-+ cipheriv = ciphermode + sizeof ("pcbc-") - 1;
-+ }
-+ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
-+ {
-+ mode = GRUB_CRYPTODISK_MODE_XTS;
-+ cipheriv = ciphermode + sizeof ("xts-") - 1;
-+ secondary_cipher = grub_crypto_cipher_open (ciph);
-+ if (!secondary_cipher)
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ return NULL;
-+ }
-+ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
-+ {
-+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
-+ cipher->cipher->blocksize);
-+ grub_crypto_cipher_close (cipher);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ return NULL;
-+ }
-+ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
-+ secondary_cipher->cipher->blocksize);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ return NULL;
-+ }
-+ }
-+ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
-+ {
-+ mode = GRUB_CRYPTODISK_MODE_LRW;
-+ cipheriv = ciphermode + sizeof ("lrw-") - 1;
-+ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
-+ {
-+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
-+ cipher->cipher->blocksize);
-+ grub_crypto_cipher_close (cipher);
-+ return NULL;
-+ }
-+ }
-+ else
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
-+ ciphermode);
-+ return NULL;
-+ }
-+
-+ if (cipheriv == NULL);
-+ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
-+ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
-+ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
-+ {
-+ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
-+ || cipher->cipher->blocksize == 0)
-+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
-+ cipher->cipher->blocksize);
-+ /* FIXME should we return an error here? */
-+ for (benbi_log = 0;
-+ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
-+ benbi_log++);
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
-+ }
-+ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
-+ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
-+ {
-+ char *hash_str = cipheriv + 6;
-+
-+ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
-+
-+ /* Configure the hash and cipher used for ESSIV. */
-+ essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
-+ if (!essiv_hash)
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ grub_error (GRUB_ERR_FILE_NOT_FOUND,
-+ "Couldn't load %s hash", hash_str);
-+ return NULL;
-+ }
-+ essiv_cipher = grub_crypto_cipher_open (ciph);
-+ if (!essiv_cipher)
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ return NULL;
-+ }
-+ }
-+ else
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
-+ cipheriv);
-+ return NULL;
-+ }
-+
-+ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */
-+ hash = grub_crypto_lookup_md_by_name (hashspec);
-+ if (!hash)
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_crypto_cipher_close (essiv_cipher);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
-+ hashspec);
-+ return NULL;
-+ }
-+
-+ newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
-+ if (!newdev)
-+ {
-+ grub_crypto_cipher_close (cipher);
-+ grub_crypto_cipher_close (essiv_cipher);
-+ grub_crypto_cipher_close (secondary_cipher);
-+ return NULL;
-+ }
-+ newdev->cipher = cipher;
-+ newdev->offset = 0;
-+ newdev->source_disk = NULL;
-+ newdev->benbi_log = benbi_log;
-+ newdev->mode = mode;
-+ newdev->mode_iv = mode_iv;
-+ newdev->secondary_cipher = secondary_cipher;
-+ newdev->essiv_cipher = essiv_cipher;
-+ newdev->essiv_hash = essiv_hash;
-+ newdev->hash = hash;
-+ newdev->log_sector_size = 9;
-+ newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
-+ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
-+ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
-+
-+ return newdev;
-+}
-+
- static grub_extcmd_t cmd;
-
- GRUB_MOD_INIT (cryptodisk)
- {
- grub_disk_dev_register (&grub_cryptodisk_dev);
- cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
-- N_("SOURCE|-u UUID|-a|-b|-H file"),
-+ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"),
- N_("Mount a crypto device."), options);
- grub_procfs_register ("luks_script", &luks_script);
- }
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 11e437edb..4ebe21b4e 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -30,8 +30,6 @@
-
- GRUB_MOD_LICENSE ("GPLv3+");
-
--#define MAX_PASSPHRASE 256
--
- #define LUKS_KEY_ENABLED 0x00AC71F3
-
- /* On disk LUKS header */
-@@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- char uuid[sizeof (header.uuid) + 1];
- char ciphername[sizeof (header.cipherName) + 1];
- char ciphermode[sizeof (header.cipherMode) + 1];
-- char *cipheriv = NULL;
- char hashspec[sizeof (header.hashSpec) + 1];
-- grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
-- grub_crypto_cipher_handle_t essiv_cipher = NULL;
-- const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
-- const struct gcry_cipher_spec *ciph;
-- grub_cryptodisk_mode_t mode;
-- grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
-- int benbi_log = 0;
- grub_err_t err;
-
- err = GRUB_ERR_NONE;
-@@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- iptr++)
- {
- if (*iptr != '-')
-- *optr++ = *iptr;
-+ *optr++ = *iptr;
- }
- *optr = 0;
-
-@@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- return NULL;
- }
-
-+
- /* Make sure that strings are null terminated. */
- grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
- ciphername[sizeof (header.cipherName)] = 0;
-@@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
- hashspec[sizeof (header.hashSpec)] = 0;
-
-- ciph = grub_crypto_lookup_cipher_by_name (ciphername);
-- if (!ciph)
-- {
-- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
-- ciphername);
-- return NULL;
-- }
--
-- /* Configure the cipher used for the bulk data. */
-- cipher = grub_crypto_cipher_open (ciph);
-- if (!cipher)
-- return NULL;
--
-- if (grub_be_to_cpu32 (header.keyBytes) > 1024)
-- {
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
-- grub_be_to_cpu32 (header.keyBytes));
-- grub_crypto_cipher_close (cipher);
-- return NULL;
-- }
--
-- /* Configure the cipher mode. */
-- if (grub_strcmp (ciphermode, "ecb") == 0)
-- {
-- mode = GRUB_CRYPTODISK_MODE_ECB;
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
-- cipheriv = NULL;
-- }
-- else if (grub_strcmp (ciphermode, "plain") == 0)
-- {
-- mode = GRUB_CRYPTODISK_MODE_CBC;
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
-- cipheriv = NULL;
-- }
-- else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
-- {
-- mode = GRUB_CRYPTODISK_MODE_CBC;
-- cipheriv = ciphermode + sizeof ("cbc-") - 1;
-- }
-- else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
-- {
-- mode = GRUB_CRYPTODISK_MODE_PCBC;
-- cipheriv = ciphermode + sizeof ("pcbc-") - 1;
-- }
-- else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
-- {
-- mode = GRUB_CRYPTODISK_MODE_XTS;
-- cipheriv = ciphermode + sizeof ("xts-") - 1;
-- secondary_cipher = grub_crypto_cipher_open (ciph);
-- if (!secondary_cipher)
-- {
-- grub_crypto_cipher_close (cipher);
-- return NULL;
-- }
-- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
-- {
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
-- cipher->cipher->blocksize);
-- grub_crypto_cipher_close (cipher);
-- grub_crypto_cipher_close (secondary_cipher);
-- return NULL;
-- }
-- if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
-- secondary_cipher->cipher->blocksize);
-- grub_crypto_cipher_close (secondary_cipher);
-- return NULL;
-- }
-- }
-- else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
-- {
-- mode = GRUB_CRYPTODISK_MODE_LRW;
-- cipheriv = ciphermode + sizeof ("lrw-") - 1;
-- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
-- {
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
-- cipher->cipher->blocksize);
-- grub_crypto_cipher_close (cipher);
-- return NULL;
-- }
-- }
-- else
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
-- ciphermode);
-- return NULL;
-- }
--
-- if (cipheriv == NULL);
-- else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
-- else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
-- else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
-- {
-- if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
-- || cipher->cipher->blocksize == 0)
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
-- cipher->cipher->blocksize);
-- /* FIXME should we return an error here? */
-- for (benbi_log = 0;
-- (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
-- benbi_log++);
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
-- }
-- else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
-- else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
-- {
-- char *hash_str = cipheriv + 6;
--
-- mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
--
-- /* Configure the hash and cipher used for ESSIV. */
-- essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
-- if (!essiv_hash)
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_crypto_cipher_close (secondary_cipher);
-- grub_error (GRUB_ERR_FILE_NOT_FOUND,
-- "Couldn't load %s hash", hash_str);
-- return NULL;
-- }
-- essiv_cipher = grub_crypto_cipher_open (ciph);
-- if (!essiv_cipher)
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_crypto_cipher_close (secondary_cipher);
-- return NULL;
-- }
-- }
-- else
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_crypto_cipher_close (secondary_cipher);
-- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
-- cipheriv);
-- return NULL;
-- }
--
-- /* Configure the hash used for the AF splitter and HMAC. */
-- hash = grub_crypto_lookup_md_by_name (hashspec);
-- if (!hash)
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_crypto_cipher_close (essiv_cipher);
-- grub_crypto_cipher_close (secondary_cipher);
-- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
-- hashspec);
-- return NULL;
-- }
-+ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
-
-- newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
-- if (!newdev)
-- {
-- grub_crypto_cipher_close (cipher);
-- grub_crypto_cipher_close (essiv_cipher);
-- grub_crypto_cipher_close (secondary_cipher);
-- return NULL;
-- }
-- newdev->cipher = cipher;
- newdev->offset = grub_be_to_cpu32 (header.payloadOffset);
-- newdev->source_disk = NULL;
-- newdev->benbi_log = benbi_log;
-- newdev->mode = mode;
-- newdev->mode_iv = mode_iv;
-- newdev->secondary_cipher = secondary_cipher;
-- newdev->essiv_cipher = essiv_cipher;
-- newdev->essiv_hash = essiv_hash;
-- newdev->hash = hash;
-- newdev->log_sector_size = 9;
-- newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
-- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
- newdev->modname = "luks";
-- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
-
- return newdev;
- }
-@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source,
- struct grub_luks_phdr header;
- grub_size_t keysize;
- grub_uint8_t *split_key = NULL;
-- char interactive_passphrase[MAX_PASSPHRASE] = "";
-+ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
- grub_uint8_t *passphrase;
- grub_size_t passphrase_length;
- grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
-@@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source,
- /* Use bytestring from key file as passphrase */
- passphrase = keyfile_bytes;
- passphrase_length = keyfile_bytes_size;
-- keyfile_bytes = NULL; /* use it only once */
-+ keyfile_bytes = NULL; /* use it only once */
- }
- else
- {
-@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source,
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "", dev->uuid);
- grub_free (tmp);
-- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
-+ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
- {
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
-index 67f6b0b59..bb25ab730 100644
---- a/include/grub/cryptodisk.h
-+++ b/include/grub/cryptodisk.h
-@@ -54,9 +54,14 @@ typedef enum
- #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)
- #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
- #define GRUB_CRYPTODISK_MAX_KEYLEN 128
-+#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
-
- #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
-
-+#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256"
-+#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160"
-+#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256
-+
- struct grub_cryptodisk;
-
- typedef gcry_err_code_t
-@@ -160,4 +165,7 @@ grub_util_get_geli_uuid (const char *dev);
- grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
- grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
-
-+grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
-+ char *ciphername, char *ciphermode, char *digest);
-+
- #endif
---
-2.16.2
-
diff --git a/helpers/DATA/grub2/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/helpers/DATA/grub2/0005-Cryptomount-support-for-hyphens-in-UUID.patch
index d35318b84..a70086ff4 100644
--- a/helpers/DATA/grub2/0005-Cryptomount-support-for-hyphens-in-UUID.patch
+++ b/helpers/DATA/grub2/0005-Cryptomount-support-for-hyphens-in-UUID.patch
@@ -1,122 +1,128 @@
-From f723c22cb7d8a5a6633eaa0682e024e667fb581a Mon Sep 17 00:00:00 2001
-From: John Lane <john@lane.uk.net>
-Date: Fri, 26 Jun 2015 22:48:03 +0100
-Subject: [PATCH 5/5] Cryptomount support for hyphens in UUID
-
----
- grub-core/disk/cryptodisk.c | 20 +++++++++++++++++---
- grub-core/disk/luks.c | 26 ++++++++------------------
- include/grub/cryptodisk.h | 2 ++
- 3 files changed, 27 insertions(+), 21 deletions(-)
-
-diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index cd5cfc9..d36d16b 100644
---- a/grub-core/disk/cryptodisk.c
-+++ b/grub-core/disk/cryptodisk.c
-@@ -113,6 +113,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b)
- }
- }
-
-+int
-+grub_cryptodisk_uuidcmp(const char *uuid_a, const char *uuid_b)
-+{
-+ while ((*uuid_a != '\0') && (*uuid_b != '\0'))
-+ {
-+ while (*uuid_a == '-') uuid_a++;
-+ while (*uuid_b == '-') uuid_b++;
-+ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break;
-+ uuid_a++;
-+ uuid_b++;
-+ }
-+ return (*uuid_a == '\0') && (*uuid_b == '\0');
-+}
+diff --git a/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/0005-Cryptomount-support-for-hyphens-in-UUID.patch
+new file mode 100644
+index 00000000000..f6ed18a66d7
+--- /dev/null
++++ b/0005-Cryptomount-support-for-hyphens-in-UUID.patch
+@@ -0,0 +1,122 @@
++From 0939fef502c4b97d1facc7972a54d5dfeba4ab71 Mon Sep 17 00:00:00 2001
++From: John Lane <john@lane.uk.net>
++Date: Fri, 26 Jun 2015 22:48:03 +0100
++Subject: [PATCH 5/7] Cryptomount support for hyphens in UUID
+
- static gcry_err_code_t
- grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher,
- void *out, void *in, grub_size_t size,
-@@ -507,8 +521,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk)
- if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0)
- {
- for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
-- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0)
-- break;
-+ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid))
-+ break;
- }
- else
- {
-@@ -739,7 +753,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid)
- {
- grub_cryptodisk_t dev;
- for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
-- if (grub_strcasecmp (dev->uuid, uuid) == 0)
-+ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid))
- return dev;
- return NULL;
- }
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 4ebe21b..80a7606 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot, grub_file_t hdr)
- {
- grub_cryptodisk_t newdev;
-- const char *iptr;
- struct grub_luks_phdr header;
-- char *optr;
- char uuid[sizeof (header.uuid) + 1];
- char ciphername[sizeof (header.cipherName) + 1];
- char ciphermode[sizeof (header.cipherMode) + 1];
-@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- || grub_be_to_cpu16 (header.version) != 1)
- return NULL;
-
-- optr = uuid;
-- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
-- iptr++)
-- {
-- if (*iptr != '-')
-- *optr++ = *iptr;
-- }
-- *optr = 0;
--
-- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0)
-- {
-- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
-- return NULL;
-- }
--
--
- /* Make sure that strings are null terminated. */
- grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
- ciphername[sizeof (header.cipherName)] = 0;
-@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- ciphermode[sizeof (header.cipherMode)] = 0;
- grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
- hashspec[sizeof (header.hashSpec)] = 0;
-+ grub_memcpy (uuid, header.uuid, sizeof (header.uuid));
-+ uuid[sizeof (header.uuid)] = 0;
++---
++ grub-core/disk/cryptodisk.c | 20 +++++++++++++++++---
++ grub-core/disk/luks.c | 26 ++++++++------------------
++ include/grub/cryptodisk.h | 2 ++
++ 3 files changed, 27 insertions(+), 21 deletions(-)
++
++diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
++index 7f656f75c..c442d3a34 100644
++--- a/grub-core/disk/cryptodisk.c
+++++ b/grub-core/disk/cryptodisk.c
++@@ -114,6 +114,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b)
++ }
++ }
++
+++int
+++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b)
+++{
+++ while ((*uuid_a != '\0') && (*uuid_b != '\0'))
+++ {
+++ while (*uuid_a == '-') uuid_a++;
+++ while (*uuid_b == '-') uuid_b++;
+++ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break;
+++ uuid_a++;
+++ uuid_b++;
+++ }
+++ return (*uuid_a == '\0') && (*uuid_b == '\0');
+++}
+++
++ static gcry_err_code_t
++ grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher,
++ void *out, void *in, grub_size_t size,
++@@ -509,8 +523,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk)
++ if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0)
++ {
++ for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
++- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0)
++- break;
+++ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid))
+++ break;
++ }
++ else
++ {
++@@ -742,7 +756,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid)
++ {
++ grub_cryptodisk_t dev;
++ for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
++- if (grub_strcasecmp (dev->uuid, uuid) == 0)
+++ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid))
++ return dev;
++ return NULL;
++ }
++diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
++index 4ebe21b4e..80a760670 100644
++--- a/grub-core/disk/luks.c
+++++ b/grub-core/disk/luks.c
++@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ int check_boot, grub_file_t hdr)
++ {
++ grub_cryptodisk_t newdev;
++- const char *iptr;
++ struct grub_luks_phdr header;
++- char *optr;
++ char uuid[sizeof (header.uuid) + 1];
++ char ciphername[sizeof (header.cipherName) + 1];
++ char ciphermode[sizeof (header.cipherMode) + 1];
++@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ || grub_be_to_cpu16 (header.version) != 1)
++ return NULL;
++
++- optr = uuid;
++- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
++- iptr++)
++- {
++- if (*iptr != '-')
++- *optr++ = *iptr;
++- }
++- *optr = 0;
++-
++- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0)
++- {
++- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
++- return NULL;
++- }
++-
++-
++ /* Make sure that strings are null terminated. */
++ grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
++ ciphername[sizeof (header.cipherName)] = 0;
++@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
++ ciphermode[sizeof (header.cipherMode)] = 0;
++ grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
++ hashspec[sizeof (header.hashSpec)] = 0;
+++ grub_memcpy (uuid, header.uuid, sizeof (header.uuid));
+++ uuid[sizeof (header.uuid)] = 0;
+++
+++ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid))
+++ {
+++ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
+++ return NULL;
+++ }
++
++ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
++
++diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
++index bb25ab730..01c02696e 100644
++--- a/include/grub/cryptodisk.h
+++++ b/include/grub/cryptodisk.h
++@@ -168,4 +168,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
++ grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
++ char *ciphername, char *ciphermode, char *digest);
++
+++int
+++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b);
++ #endif
++--
++2.16.2
+
-+ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid))
-+ {
-+ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
-+ return NULL;
-+ }
-
- newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
-
-diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
-index 4076412..a564f2c 100644
---- a/include/grub/cryptodisk.h
-+++ b/include/grub/cryptodisk.h
-@@ -167,4 +167,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
- grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
- char *ciphername, char *ciphermode, char *digest);
-
-+int
-+grub_cryptodisk_uuidcmp(const char *uuid_a, const char *uuid_b);
- #endif
---
-2.1.2
-
diff --git a/helpers/DATA/grub2/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch b/helpers/DATA/grub2/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
new file mode 100644
index 000000000..09f876d2f
--- /dev/null
+++ b/helpers/DATA/grub2/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
@@ -0,0 +1,114 @@
+diff --git a/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
+new file mode 100644
+index 00000000000..49750f84aca
+--- /dev/null
++++ b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
+@@ -0,0 +1,108 @@
++From 908f4282cc934422923ff59836a835e63d6a7117 Mon Sep 17 00:00:00 2001
++From: Paul Gideon Dann <pdgiddie@gmail.com>
++Date: Tue, 19 Jul 2016 12:36:37 +0100
++Subject: [PATCH] Add support for using a whole device as a keyfile
++
++---
++ grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++--------
++ 1 file changed, 68 insertions(+), 18 deletions(-)
++
++diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
++index d0388c6d1..c5d8021ba 100644
++--- a/grub-core/disk/cryptodisk.c
+++++ b/grub-core/disk/cryptodisk.c
++@@ -1031,26 +1031,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
++ else
++ {
++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
++- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
++- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
++-
++- keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
++- if (!keyfile)
++- grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
++- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
++- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
++- else
+++
+++ if (grub_strchr (state[4].arg, '/'))
++ {
++- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
++- if (keyfile_size == (grub_size_t)-1)
++- grub_printf (N_("Error reading key file\n"));
++- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
++- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
++- (unsigned long long) requested_keyfile_size,
++- (unsigned long long) keyfile_size);
+++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
+++ if (!keyfile)
+++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
++ else
++- key = keyfile_buffer;
++- }
+++ {
+++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
+++ if (keyfile_size == (grub_size_t)-1)
+++ grub_printf (N_("Error reading key file\n"));
+++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
+++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
+++ (unsigned long long) requested_keyfile_size,
+++ (unsigned long long) keyfile_size);
+++ else
+++ key = keyfile_buffer;
+++ }
+++ }
+++ else
+++ {
+++ grub_disk_t keydisk;
+++ char* keydisk_name;
+++ grub_err_t err;
+++ grub_uint64_t total_sectors;
+++
+++ keydisk_name = grub_file_get_device_name(state[4].arg);
+++ keydisk = grub_disk_open (keydisk_name);
+++ if (!keydisk)
+++ {
+++ grub_printf (N_("Unable to open disk %s\n"), keydisk_name);
+++ goto cleanup_keydisk_name;
+++ }
+++
+++ total_sectors = grub_disk_get_size (keydisk);
+++ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN)
+++ {
+++ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name);
+++ goto cleanup_keydisk;
+++ }
+++
+++ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS);
+++ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size)
+++ keyfile_size = requested_keyfile_size;
+++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+++ {
+++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
+++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+++ goto cleanup_keydisk;
+++ }
+++
+++ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer);
+++ if (err != GRUB_ERR_NONE)
+++ {
+++ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name);
+++ keyfile_size = 0;
+++ goto cleanup_keydisk;
+++ }
+++
+++ key = keyfile_buffer;
+++
+++ cleanup_keydisk:
+++ grub_disk_close (keydisk);
+++ cleanup_keydisk_name:
+++ grub_free (keydisk_name);
+++ }
++ }
++ }
++
diff --git a/helpers/DATA/grub2/0007-Add-support-for-using-a-whole-device-as-a-keyfile.patch b/helpers/DATA/grub2/0007-Add-support-for-using-a-whole-device-as-a-keyfile.patch
deleted file mode 100644
index 0c45a8c39..000000000
--- a/helpers/DATA/grub2/0007-Add-support-for-using-a-whole-device-as-a-keyfile.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From ef720d0d44b8d97a83950ced0df1ce1bcf8cd988 Mon Sep 17 00:00:00 2001
-From: Paul Gideon Dann <pdgiddie@gmail.com>
-Date: Tue, 19 Jul 2016 12:36:37 +0100
-Subject: [PATCH 7/7] Add support for using a whole device as a keyfile
-
----
- grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++++++++----------
- 1 file changed, 68 insertions(+), 18 deletions(-)
-
-diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index 6fc2c23aa..a8937e5e3 100644
---- a/grub-core/disk/cryptodisk.c
-+++ b/grub-core/disk/cryptodisk.c
-@@ -1032,26 +1032,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
- else
- {
- keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
-- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
-- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
--
-- keyfile = grub_file_open (state[4].arg);
-- if (!keyfile)
-- grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
-- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
-- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
-- else
-+
-+ if (grub_strchr (state[4].arg, '/'))
- {
-- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
-- if (keyfile_size == (grub_size_t)-1)
-- grub_printf (N_("Error reading key file\n"));
-- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
-- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
-- (unsigned long long) requested_keyfile_size,
-- (unsigned long long) keyfile_size);
-+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
-+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
-+ keyfile = grub_file_open (state[4].arg);
-+ if (!keyfile)
-+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
-+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
-+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
- else
-- key = keyfile_buffer;
-- }
-+ {
-+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
-+ if (keyfile_size == (grub_size_t)-1)
-+ grub_printf (N_("Error reading key file\n"));
-+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
-+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
-+ (unsigned long long) requested_keyfile_size,
-+ (unsigned long long) keyfile_size);
-+ else
-+ key = keyfile_buffer;
-+ }
-+ }
-+ else
-+ {
-+ grub_disk_t keydisk;
-+ char* keydisk_name;
-+ grub_err_t err;
-+ grub_uint64_t total_sectors;
-+
-+ keydisk_name = grub_file_get_device_name(state[4].arg);
-+ keydisk = grub_disk_open (keydisk_name);
-+ if (!keydisk)
-+ {
-+ grub_printf (N_("Unable to open disk %s\n"), keydisk_name);
-+ goto cleanup_keydisk_name;
-+ }
-+
-+ total_sectors = grub_disk_get_size (keydisk);
-+ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN)
-+ {
-+ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name);
-+ goto cleanup_keydisk;
-+ }
-+
-+ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS);
-+ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size)
-+ keyfile_size = requested_keyfile_size;
-+ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
-+ {
-+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
-+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
-+ goto cleanup_keydisk;
-+ }
-+
-+ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer);
-+ if (err != GRUB_ERR_NONE)
-+ {
-+ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name);
-+ keyfile_size = 0;
-+ goto cleanup_keydisk;
-+ }
-+
-+ key = keyfile_buffer;
-+
-+ cleanup_keydisk:
-+ grub_disk_close (keydisk);
-+ cleanup_keydisk_name:
-+ grub_free (keydisk_name);
-+ }
- }
- }
-
---
-2.16.2
-
diff --git a/helpers/make-grub2 b/helpers/make-grub2
index c9adcfc6a..bb7709b24 100644
--- a/helpers/make-grub2
+++ b/helpers/make-grub2
@@ -2,6 +2,7 @@
#
# Copyright (C) 2011-2017 Ruben Rodriguez <ruben@trisquel.info>
# Copyright (C) 2019 Mason Hock <mason@masonhock.com>
+# Copyright (C) 2021 Luis Guzman <ark@switnet.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -24,6 +25,7 @@ COMPONENT=main
. ./config
# http://grub.johnlane.ie/
+## updated to 2.04-1 on https://aur.archlinux.org/packages/grub-luks-keyfile/
for i in $DATA/*.patch; do
echo Applying patch $i
patch -p1 < $i
@@ -33,13 +35,13 @@ done
#sed '/dosfstools/d' -i debian/control
sed '/mkfs.minix/s/-B $BLKSIZE//g' -i tests/util/grub-fs-tester.in
-for i in install_efi_ubuntu_flavours.patch mkconfig_ubuntu_distributor.patch; do
+for i in install-efi-ubuntu-flavours.patch mkconfig-ubuntu-distributor.patch; do
rm debian/patches/$i
sed /$i/d debian/patches/series -i
done
#Allow passwords https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1311302
-/bin/sed '/CLASS=/s/class os/class os --unrestricted/' -i util/grub.d/* debian/patches/mkconfig_other_inits.patch
+/bin/sed '/CLASS=/s/class os/class os --unrestricted/' -i util/grub.d/* debian/patches/mkconfig-other-inits.patch
replace "with Linux" "with Linux-Libre" util
replace "with Linux" "with Linux-Libre" debian
--
GitLab