Update luks_unlock() to support a pre-derived key, such as that obtained
from a TKey. This must match the key_size of the LUKS partition,
otherwise it will fail to unlock.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
In some cases we may wish to provide a pre-derived key, e.g. obtained
from a TKey. Provide an option for this with LUKSv1. For now it is not
exported.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Move the LUKSv1-specific unlock logic from luks_unlock() into a new
unlock_luks1() function, lining up with the structure used for LUKSv2.
Also update unlock_luks1() to use a local key_size variable and only
set the output parameter on success.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Move the derive_key_pbkdf2() call from inside try_keyslot() to the
caller, luks_unlock()
With this change luks_unlock() deals with key derivation and
try_keyslot() only handles the decryption part, using a supplied
derived key.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Create a new derive_key_pbkdf2() function to handle key derivation, to
allow this be called from other places and to reduce the size of
try_keyslot()
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Update luks_unlock() to accept a binary passphrase, to match the LUKS2
implementation.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Update unlock_luks2() and related functions to accept a binary
passphrase instead of a string passphrase. This will allow unlocking
using hashed data.
For now this is internal to the luks implementation.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
In preparation for supporting unlock using binary data, update
try_keyslot() to accept an array of bytes instead of a string.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Name the derived key as such to avoid confusion. Fix a typo in nearby
log_debug() statement.
Update essiv_decrypt() to have a const * for its first argument.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Both luks.c and luks2.c have similar implementations of essiv_decrypt().
Drop the version in the later to reduce code duplication.
Drop the duplicate function comments while we are here, since exported
functions should have the information in the header file.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add support for AES-XTS cipher mode in addition to the existing
AES-CBC-ESSIV support. This is the default cipher for LUKS2 volumes.
The cipher mode (CBC/XTS) is obtained from the LUKS1 cipher_mode or
LUKS2 encryption metadata.
XTS mode uses 512-byte block numbers for IV generation (plain64),
matching dm-crypt behavior. LUKS2 typically uses 4096-byte sectors
for XTS encryption but the IV is based on 512-byte block numbers.
Fix the blkmap-size calculation to exclude the LUKS header/payload
offset.
Update the LUKSv2 test to check reading a file.
Series-to: concept
Cover-letter:
luks: Support the AES-XTS cipher mode
This series finishes off the implementation of LUKSv2, adding support
for the common cipher mode and testing that files can be read from the
disk.
It includes a fix for using the correct size when mapping the crypt, as
well as some refactoring to split up the code a little better.
END
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Fix the blkmap-size calculation to exclude the LUKS header/payload
offset. This was missed in the initial implementation.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Fixes: 0cbfb2d490 ("luks: Provide a way to unlock and map encrypted..")
Add supports for luks v2 which is a more common version used on modern
systems.
This makes use of Argon2 and also the JSON->FDT parser.
Enable this feature for sandbox, tidying up the defconfig while we are
here.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
In preparation for luks v2, make a few code-style tweaks:
- shorter vars in some cases
- 80cols in a few places
- drop an unwanted blank line
- use 'pass' instead of 'passphrase'
- unnecessary assignments to NULL
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Provide this function through an internal header, so that luks2 will be
able to use it.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add the logic to unlock a partition and set up a blkmap for use with it.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Extract the full information for version 2, which is JSON format. Show
this with the 'luks info' command.
Use the mmc12 disk to check this.
Require the JSON for LUKS.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a 'luks' command which allows querying a partition to see if it is
encrypted using LUKS, as well as showing information about a LUKS
partition.
Provide some documentation and a test.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Linux Unified Key Setup (LUKS) provides a way to encryption a disk
partition with a a key an later unlock it. There are two versions (1 and
2).
Add a definition of the main structures and the ability to detect a LUKS
partition.
Enable this for the sandbox board.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
