smallsolar/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luks: Add -p flag for pre-derived master key

Browse Source 
Add a -p flag to the luks unlock command that allows passing a
hex-encoded pre-derived master key, skipping the KDF step. This is
useful when the master key has been derived externally, such as from a
hardware security module.

Adjust the normal flow (without -p) to use a key derived on the TKey
output. While that works OK with LUKS1, the 32-byte value is not long
enough to work with LUKS2.

Update the documentation to describe the new flag.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
This commit is contained in:
Simon Glass
2025-11-27 07:07:29 -07:00
parent 6873d2bf79
commit 67ed14f985
2 changed files with 47 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
doc/usage/cmd/luks.rst
View File

@@ -13,7 +13,7 @@ Synopsis
luks detect <interface> <dev[:part]>
luks info <interface> <dev[:part]>
luks unlock [-t] <interface> <dev[:part]> <passphrase>
luks unlock [-t] [-p] <interface> <dev[:part]> <passphrase>
Description
-----------
@@ -97,7 +97,8 @@ This command:
- **Without -t**: Uses PBKDF2 or Argon2id with the provided passphrase
- **With -t**: Uses TKey hardware token with passphrase as USS (User-Supplied
Secret) to derive a disk encryption key
Secret) to derive a disk encryption key. You can use 'tkey connect' to
select which TKey to use, otherwise it uses the first one it finds.
4. Attempts to unlock each active key slot
5. Verifies the master key against the stored digest
@@ -128,6 +129,12 @@ be used to access files on the unlocked partition.
passphrase is used as the USS (User-Supplied Secret) to derive a disk
encryption key from the TKey's public key.
-p
Optional flag to treat the passphrase as a hex-encoded pre-derived master
key, skipping the KDF (Key Derivation Function) step. This is useful when
the master key has already been derived externally, such as from a hardware
security module or other key management system.
interface
The storage interface type (e.g., mmc, usb, scsi)
@@ -250,6 +257,13 @@ Unlock using TKey hardware token::
Successfully unlocked with key slot 0!
Unlocked LUKS partition as blkmap device 'luks-mmc-0:2'
Unlock using a pre-derived master key (hex-encoded)::
=> luks unlock -p mmc 0:2 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Unlocking LUKS2 partition...
Successfully unlocked with key slot 0!
Unlocked LUKS partition as blkmap device 'luks-mmc-0:2'
Configuration
-------------