From patchwork Fri Oct 31 06:53:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 46 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893707; bh=AMP0Xc2LiDkifrCbEGoyJy+VsxpTcc2ISyeeLWwCTLU=; h=From:To:Date:CC:Subject:List-Id:List-Archive:List-Help:List-Owner: List-Post:List-Subscribe:List-Unsubscribe:From; b=wqY9fUS8guFQVdMqjMuvhA6hDe7lJujBSuO8fl+CzA4c1h3Y59bcC3PCrI276mEA8 P+BDYKiRPWiyx/wIB5KFIcz2j1mWX4HfKhBjpc/2ku1h4n7plQpsgUZXmuG0NEPoVM LXqPDqezhfcKS6ae7pFDfjhvt7i2wTAcde2LUAXXCdGpYDNhbSkvoRAecXX8sItVmD KysQLolLBe/3Lm4YaJU8Eki6u31fWn8IieqFRyGjIlXhksPK+HvQVEUm2F9F00v1vD RADDxIBVY6ottDC0f1mVqEvs6XnF5tmMHmluvyvkY7KGsZEjbcrDm9eeo0nmgkzy5Y X4ryidSjTF33w== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 747F168355 for ; Fri, 31 Oct 2025 00:55:07 -0600 (MDT) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id k-v1gN6GZWsd for ; Fri, 31 Oct 2025 00:55:07 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893707; bh=AMP0Xc2LiDkifrCbEGoyJy+VsxpTcc2ISyeeLWwCTLU=; h=From:To:Date:CC:Subject:List-Id:List-Archive:List-Help:List-Owner: List-Post:List-Subscribe:List-Unsubscribe:From; b=wqY9fUS8guFQVdMqjMuvhA6hDe7lJujBSuO8fl+CzA4c1h3Y59bcC3PCrI276mEA8 P+BDYKiRPWiyx/wIB5KFIcz2j1mWX4HfKhBjpc/2ku1h4n7plQpsgUZXmuG0NEPoVM LXqPDqezhfcKS6ae7pFDfjhvt7i2wTAcde2LUAXXCdGpYDNhbSkvoRAecXX8sItVmD KysQLolLBe/3Lm4YaJU8Eki6u31fWn8IieqFRyGjIlXhksPK+HvQVEUm2F9F00v1vD RADDxIBVY6ottDC0f1mVqEvs6XnF5tmMHmluvyvkY7KGsZEjbcrDm9eeo0nmgkzy5Y X4ryidSjTF33w== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 625FA68331 for ; Fri, 31 Oct 2025 00:55:07 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893704; bh=zdwPdGTu+36SSZ6xnzkFSeWqmEBoT7TGh48yG7z8Y2o=; h=From:To:Cc:Subject:Date:From; b=M2sm1cE8iMk53VI/4/irA7U06GPM29D0D1kjBd2D07640Gyxuu8FplgQ4TJOUzrs1 BMmulMV7CmDgJn+AOf7Tgfi3RLgx2KDNXF+GXs24licDNEtClpCwko7puIC9OW5yeg Up2Ryj/JaWUOlB7gNnE/Qm+qezLa6E1BbFn7vKRHWBredbufM0PK8QdUH2InltxXAh kazGJ/4iaBo3kfVt7Aq8ZhiOx6hTbHEHHWzqqtDMR2VtXK2KAgRrZBfYYJR0cIBJgf TSMkkPhxfLgnPaIDZlf4T1zzxtu8SUauWmdngEYKCNCh8mf4oz6nB3HEfrsYazyJSa O/3s/nDwos8kw== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id DD1F868320; Fri, 31 Oct 2025 00:55:04 -0600 (MDT) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id XxBK_YOAWBE7; Fri, 31 Oct 2025 00:55:04 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893700; bh=e7i9n3i2h4GZ8WmMJ8BVz5JGtLEbAaeGCuYmCIHmGS0=; h=From:To:Cc:Subject:Date:From; b=NK22twSPQj+pc58kBlrNtPEWobXf/QT2wIe9rpSWvo9xDsr2S1JujnBJfW8L//nhi aIlu2pW5wOxiKw8hos9DOo8OxBJKgIfizVl/V8kmLE3oozPTcJI0SlsWb9Vafo5Hme EC8YahyDJyrdn6Naw/n+z/IUjOm2vu7xwJjYS8ztUi/nCo9LkxJr9bBRRLP4LsQQi3 /ax9+o5W7Fg2KIaeaxvMJnIRQpeLQUWdxIo103Z4HLEf9cab4S2m/619dJ4BEnTgsI qendvgy/aZGLQfXCDBiGvR5l5Ncm86u+m/8R60QYpIUrpQsZJfE0GTbGlLs0deMb6C WaKK/wdIyWwXg== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 511246827C; Fri, 31 Oct 2025 00:55:00 -0600 (MDT) From: Simon Glass To: U-Boot Concept Date: Fri, 31 Oct 2025 00:53:56 -0600 Message-ID: <20251031065439.3251464-1-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Message-ID-Hash: 5T7IUQZF4GOW2DOTPLMQ6PAZX5U3NJMN X-Message-ID-Hash: 5T7IUQZF4GOW2DOTPLMQ6PAZX5U3NJMN X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 00/24] luks: Provide basic support for unlocking a LUKS1 partition List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass With full-disk encryption (FDE) it is traditional to unlock a LUKS partition within userspace as part of the initial ramdisk passed to Linux. The user is prompted for a passphrase and then the disk is unlocked. This works well but does have some drawbacks: - firmware has no way of knowing whether the boot will success - the 'passphrase' prompt comes quite late in the boot, which can be confusing for the user - specifically it is not possible to provide an integrated 'boot' UI in firmware where the user can enter the passphrase - in a VM environment, the key may be known in advance, but there is no way to take advantage of this - it is not possible to use an encryted disk unless also using a ramdisk This series makes a small step towards improving U-Boot in this area. It allows a passphrase to be checked against a LUKS1-encrypted partition. It also provides read-only access to the unencrypted data, so that files can be read. Simon Glass (24): aes: Fix key size handling for AES-192 and AES-256 doc: Provide documentation for the blkmap command log: Provide a macro to log a hex string panic: Provide a way to poweroff on panic sandbox: Enable CONFIG_PANIC_POWEROFF sandbox: Add devon and devoff subcommands to sb command mbedtls: hash: Provide the mbedtls hash type in the hash interface mbedtls: Allow use of PKCS#5 functions test/py: Support creating space after a filesystem test/py: Support FDE with the extlinux image test/py: Set up an Ubuntu image with space for FDE docker: Add cryptsetup package for LUKS testing CI: Update Docker image to including luks tools luks: Add a way to create an encrypted partition luks: Encrypt the mmc11 test image luks: Add the beginning of LUKS support luks: Add a simple command luks: Create a very simple JSON library luks: Create a disk image with LUKS2 encryption luks: Show the JSON information for LUKSv2 luks: Enhance blkmap to support LUKSv1 luks: Provide a way to unlock and map encrypted partitions luks: Add a subcommand to unlock an encrypted partition luks: Add detection of LUKS partition .gitlab-ci.yml | 6 +- MAINTAINERS | 14 + arch/sandbox/dts/test.dts | 8 + cmd/Kconfig | 9 + cmd/Makefile | 1 + cmd/luks.c | 133 +++++++ cmd/sb.c | 107 ++++- common/hash.c | 5 + configs/sandbox_defconfig | 2 + doc/usage/blkmap.rst | 5 + doc/usage/cmd/blkmap.rst | 323 +++++++++++++++ doc/usage/cmd/luks.rst | 254 ++++++++++++ doc/usage/cmd/sb.rst | 40 +- doc/usage/index.rst | 3 + doc/usage/luks.rst | 340 ++++++++++++++++ drivers/block/Kconfig | 22 ++ drivers/block/Makefile | 1 + drivers/block/blkmap.c | 152 +++++++ drivers/block/luks.c | 656 +++++++++++++++++++++++++++++++ include/blkmap.h | 24 ++ include/hash.h | 33 +- include/json.h | 23 ++ include/log.h | 16 + include/luks.h | 175 +++++++++ lib/Kconfig | 15 + lib/Makefile | 1 + lib/aes.c | 15 +- lib/json.c | 122 ++++++ lib/mbedtls/Kconfig | 14 + lib/mbedtls/Makefile | 2 + lib/mbedtls/mbedtls_def_config.h | 4 + lib/panic.c | 8 + test/boot/Makefile | 1 + test/boot/luks.c | 241 ++++++++++++ test/cmd/Makefile | 1 + test/cmd/sb.c | 123 ++++++ test/lib/Makefile | 1 + test/lib/json.c | 211 ++++++++++ test/py/img/common.py | 18 +- test/py/img/ubuntu.py | 12 +- test/py/tests/fs_helper.py | 142 ++++++- test/py/tests/test_ut.py | 3 +- tools/docker/Dockerfile | 1 + 43 files changed, 3262 insertions(+), 25 deletions(-) create mode 100644 cmd/luks.c create mode 100644 doc/usage/cmd/blkmap.rst create mode 100644 doc/usage/cmd/luks.rst create mode 100644 doc/usage/luks.rst create mode 100644 drivers/block/luks.c create mode 100644 include/json.h create mode 100644 include/luks.h create mode 100644 lib/json.c create mode 100644 test/boot/luks.c create mode 100644 test/cmd/sb.c create mode 100644 test/lib/json.c