[Concept,00/24] luks: Provide basic support for unlocking a LUKS1 partition

Message ID	20251031065439.3251464-1-sjg@u-boot.org
Headers	From: Simon Glass <sjg@u-boot.org> To: U-Boot Concept <concept@u-boot.org> Date: Fri, 31 Oct 2025 00:53:56 -0600 Message-ID: <20251031065439.3251464-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: 5T7IUQZF4GOW2DOTPLMQ6PAZX5U3NJMN CC: Simon Glass <sjg@chromium.org> Precedence: list Subject: [Concept] [PATCH 00/24] luks: Provide basic support for unlocking a LUKS1 partition Archived-At: <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/5T7IUQZF4GOW2DOTPLMQ6PAZX5U3NJMN/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	luks: Provide basic support for unlocking a LUKS1 partition \| [Concept,00/24] luks: Provide basic support for unlocking a LUKS1 partition [Concept,01/24] aes: Fix key size handling for AES-192 and AES-256 [Concept,02/24] doc: Provide documentation for the blkmap command [Concept,03/24] log: Provide a macro to log a hex string [Concept,04/24] panic: Provide a way to poweroff on panic [Concept,05/24] sandbox: Enable CONFIG_PANIC_POWEROFF [Concept,06/24] sandbox: Add devon and devoff subcommands to sb command [Concept,07/24] mbedtls: hash: Provide the mbedtls hash type in the hash interface [Concept,08/24] mbedtls: Allow use of PKCS#5 functions [Concept,09/24] test/py: Support creating space after a filesystem [Concept,10/24] test/py: Support FDE with the extlinux image [Concept,11/24] test/py: Set up an Ubuntu image with space for FDE [Concept,12/24] docker: Add cryptsetup package for LUKS testing [Concept,13/24] CI: Update Docker image to including luks tools [Concept,14/24] luks: Add a way to create an encrypted partition [Concept,15/24] luks: Encrypt the mmc11 test image [Concept,16/24] luks: Add the beginning of LUKS support [Concept,17/24] luks: Add a simple command [Concept,18/24] luks: Create a very simple JSON library [Concept,19/24] luks: Create a disk image with LUKS2 encryption [Concept,20/24] luks: Show the JSON information for LUKSv2 [Concept,21/24] luks: Enhance blkmap to support LUKSv1 [Concept,22/24] luks: Provide a way to unlock and map encrypted partitions [Concept,23/24] luks: Add a subcommand to unlock an encrypted partition

Message ID

20251031065439.3251464-1-sjg@u-boot.org

Headers

From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:53:56 -0600
Message-ID: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: 5T7IUQZF4GOW2DOTPLMQ6PAZX5U3NJMN
CC: Simon Glass <sjg@chromium.org>
Precedence: list
Subject: [Concept] [PATCH 00/24] luks: Provide basic support for unlocking a
 LUKS1
 partition
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/5T7IUQZF4GOW2DOTPLMQ6PAZX5U3NJMN/>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

luks: Provide basic support for unlocking a LUKS1 partition |

Message

Simon Glass Oct. 31, 2025, 6:53 a.m. UTC

  From: Simon Glass <sjg@chromium.org>

With full-disk encryption (FDE) it is traditional to unlock a LUKS
partition within userspace as part of the initial ramdisk passed to
Linux. The user is prompted for a passphrase and then the disk is
unlocked.

This works well but does have some drawbacks:
- firmware has no way of knowing whether the boot will success
- the 'passphrase' prompt comes quite late in the boot, which can be
  confusing for the user
- specifically it is not possible to provide an integrated 'boot' UI in
  firmware where the user can enter the passphrase
- in a VM environment, the key may be known in advance, but there is no
  way to take advantage of this
- it is not possible to use an encryted disk unless also using a ramdisk

This series makes a small step towards improving U-Boot in this area. It
allows a passphrase to be checked against a LUKS1-encrypted partition.
It also provides read-only access to the unencrypted data, so that files
can be read.


Simon Glass (24):
  aes: Fix key size handling for AES-192 and AES-256
  doc: Provide documentation for the blkmap command
  log: Provide a macro to log a hex string
  panic: Provide a way to poweroff on panic
  sandbox: Enable CONFIG_PANIC_POWEROFF
  sandbox: Add devon and devoff subcommands to sb command
  mbedtls: hash: Provide the mbedtls hash type in the hash interface
  mbedtls: Allow use of PKCS#5 functions
  test/py: Support creating space after a filesystem
  test/py: Support FDE with the extlinux image
  test/py: Set up an Ubuntu image with space for FDE
  docker: Add cryptsetup package for LUKS testing
  CI: Update Docker image to including luks tools
  luks: Add a way to create an encrypted partition
  luks: Encrypt the mmc11 test image
  luks: Add the beginning of LUKS support
  luks: Add a simple command
  luks: Create a very simple JSON library
  luks: Create a disk image with LUKS2 encryption
  luks: Show the JSON information for LUKSv2
  luks: Enhance blkmap to support LUKSv1
  luks: Provide a way to unlock and map encrypted partitions
  luks: Add a subcommand to unlock an encrypted partition
  luks: Add detection of LUKS partition

 .gitlab-ci.yml                   |   6 +-
 MAINTAINERS                      |  14 +
 arch/sandbox/dts/test.dts        |   8 +
 cmd/Kconfig                      |   9 +
 cmd/Makefile                     |   1 +
 cmd/luks.c                       | 133 +++++++
 cmd/sb.c                         | 107 ++++-
 common/hash.c                    |   5 +
 configs/sandbox_defconfig        |   2 +
 doc/usage/blkmap.rst             |   5 +
 doc/usage/cmd/blkmap.rst         | 323 +++++++++++++++
 doc/usage/cmd/luks.rst           | 254 ++++++++++++
 doc/usage/cmd/sb.rst             |  40 +-
 doc/usage/index.rst              |   3 +
 doc/usage/luks.rst               | 340 ++++++++++++++++
 drivers/block/Kconfig            |  22 ++
 drivers/block/Makefile           |   1 +
 drivers/block/blkmap.c           | 152 +++++++
 drivers/block/luks.c             | 656 +++++++++++++++++++++++++++++++
 include/blkmap.h                 |  24 ++
 include/hash.h                   |  33 +-
 include/json.h                   |  23 ++
 include/log.h                    |  16 +
 include/luks.h                   | 175 +++++++++
 lib/Kconfig                      |  15 +
 lib/Makefile                     |   1 +
 lib/aes.c                        |  15 +-
 lib/json.c                       | 122 ++++++
 lib/mbedtls/Kconfig              |  14 +
 lib/mbedtls/Makefile             |   2 +
 lib/mbedtls/mbedtls_def_config.h |   4 +
 lib/panic.c                      |   8 +
 test/boot/Makefile               |   1 +
 test/boot/luks.c                 | 241 ++++++++++++
 test/cmd/Makefile                |   1 +
 test/cmd/sb.c                    | 123 ++++++
 test/lib/Makefile                |   1 +
 test/lib/json.c                  | 211 ++++++++++
 test/py/img/common.py            |  18 +-
 test/py/img/ubuntu.py            |  12 +-
 test/py/tests/fs_helper.py       | 142 ++++++-
 test/py/tests/test_ut.py         |   3 +-
 tools/docker/Dockerfile          |   1 +
 43 files changed, 3262 insertions(+), 25 deletions(-)
 create mode 100644 cmd/luks.c
 create mode 100644 doc/usage/cmd/blkmap.rst
 create mode 100644 doc/usage/cmd/luks.rst
 create mode 100644 doc/usage/luks.rst
 create mode 100644 drivers/block/luks.c
 create mode 100644 include/json.h
 create mode 100644 include/luks.h
 create mode 100644 lib/json.c
 create mode 100644 test/boot/luks.c
 create mode 100644 test/cmd/sb.c
 create mode 100644 test/lib/json.c