| Message ID | 20251116212334.1603490-1-simon.glass@canonical.com |
|---|---|
| Headers |
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
Authentication-Results: mail.u-boot.org;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256
header.s=google header.b=AzORcXl+;
dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
by mail.u-boot.org (Postfix) with ESMTP id E5212685FE
for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:23:48 -0700 (MST)
X-Virus-Scanned: Debian amavis at
Received: from mail.u-boot.org ([127.0.0.1])
by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
id PmUr0aG3SmPm for <u-boot-concept@u-boot.org>;
Sun, 16 Nov 2025 14:23:48 -0700 (MST)
Received: from mail.u-boot.org (localhost [127.0.0.1])
by mail.u-boot.org (Postfix) with ESMTP id CFF32685D7
for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:23:48 -0700 (MST)
Received: from localhost (localhost [127.0.0.1])
by mail.u-boot.org (Postfix) with ESMTP id 9438D685D7
for <concept@u-boot.org>; Sun, 16 Nov 2025 14:23:46 -0700 (MST)
X-Virus-Scanned: Debian amavis at
Received: from mail.u-boot.org ([127.0.0.1])
by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
id 9L4Aa7eXW_vv for <concept@u-boot.org>;
Sun, 16 Nov 2025 14:23:46 -0700 (MST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.166.54;
helo=mail-io1-f54.google.com; envelope-from=sjg@chromium.org;
receiver=u-boot.org
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com
[209.85.166.54])
by mail.u-boot.org (Postfix) with ESMTPS id 8BC9A684C5
for <concept@u-boot.org>; Sun, 16 Nov 2025 14:23:42 -0700 (MST)
Received: by mail-io1-f54.google.com with SMTP id
ca18e2360f4ac-94863b3620cso276632839f.3
for <concept@u-boot.org>; Sun, 16 Nov 2025 13:23:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1763328221; x=1763933021; darn=u-boot.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=00fGko6PjiSMI8/FcpVUVVjM/OjY6tPHdd7OzKfQZ3o=;
b=AzORcXl+QryV3xchYjgWuxAgiZ+gc82Cn9aiRoQSb3UOruUj/l3r2sJiwei5vICGGW
8XUzv16Q/MKsoDaVhLhdeR2TiBJi3UtpoA1988ICijM2Nk0MTgtbotpFLZZ8PDcmtZWy
SZ+TvJzXSSGxwjuCIIN758HDOGfT/yDzRBUGk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1763328221; x=1763933021;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
:message-id:reply-to;
bh=00fGko6PjiSMI8/FcpVUVVjM/OjY6tPHdd7OzKfQZ3o=;
b=XxW96g8Q/AeVBmnGhqTH882kViZJHTqnmJ/UTLBxdXXz/+r7WSLK4u01Jz58oY8GHo
BpEOoUDwnqTrj4TZP4bpd+lFwYj3wue+MAwpVyEsY4rLwu1WBnS4eM2dNlqFM0SAfbnY
7h4tk3hCDNvAfmHlKJ+YpzDUZzcXmMazKrRqi+CkO1gdZeV8MOvrotVhFpzGHxkPFyGO
ouy+LRni0IIlBDBPxd5F4JPtCnYLqEwiYs53cdbS4tVDDsFOYiBgyCpTY5+DCAGhMTGD
rvdtjcSflUdyMyR7hwvFB8aPzE7fF1waiy6SdBOYTz28wWAW+JgaDwKU6JpHjUkTNlI6
MuBQ==
X-Gm-Message-State: AOJu0YwJtJe6x/FERu0zyPYFnZC5H8MQEQT88NVN90cWrzUe3dhzz/TF
+QalXUM+/+Aev6dg1zBIYyhAI+TMaDMQMIZgSNyYkxRrM/yXOGlAXLZ4d4rP2dQVWgOZu4IQGoC
gEUI=
X-Gm-Gg: ASbGncuYyn956mcAiBLG3vk/l+3PsZXd43GSmDjiy0brPw1vs66iS4oehimzyiFgPQH
pRVb6npsMQOQT+FkqUicbrBMZAoe3PPd0oiYlxAT/+a19AWBu3CE43H3NPT7jiQRDl2SVAXhVhq
BVfaARnl2Gc4LB0RBlLKB1/Krj0gwnUReuPNrxjOeq0A2FJpwW3FHVXXKzdvkrttvWwqG09VAM2
q2jiaq66bvXdcBLDekjdoI8+UyEGU3UeKv/eRva+duLgfY59TxXa1IkK34PshezzQbqvGFaK/LK
4C00JO/7t1IGGsB9aaqWxWTwes1zIzDKsDovsoDA4OPD6gYsZAb1rIoAHy2JEV2e7n+U5eyLU4j
UTr6Luv0P5uuZWnarAzpEkjisovQ5UFtfNgxvrRM5LsxA8Og7C6+vXdCNiRJzHeJ/mrmm/QY3U5
zq+f8DnXn7rItVbz1W
X-Google-Smtp-Source:
AGHT+IFgmJzDAz44p+1bgClloDAUkABj185mzrPgnfA/IhCXvx0yZaP/06Xyo63p6RxLHWqJjtNaMA==
X-Received: by 2002:a05:6602:148e:b0:949:93e:bbd with SMTP id
ca18e2360f4ac-949093e2ad0mr203608439f.8.1763328220853;
Sun, 16 Nov 2025 13:23:40 -0800 (PST)
Received: from chromium.org ([73.34.74.121])
by smtp.gmail.com with ESMTPSA id
ca18e2360f4ac-948d2d162dcsm577962339f.13.2025.11.16.13.23.38
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 16 Nov 2025 13:23:39 -0800 (PST)
From: Simon Glass <sjg@chromium.org>
X-Google-Original-From: Simon Glass <simon.glass@canonical.com>
To: U-Boot Concept <concept@u-boot.org>
Date: Sun, 16 Nov 2025 14:23:14 -0700
Message-ID: <20251116212334.1603490-1-simon.glass@canonical.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Message-ID-Hash: YFUPGJSJ5PBTD645X4MQX2C3ODXSUQSV
X-Message-ID-Hash: YFUPGJSJ5PBTD645X4MQX2C3ODXSUQSV
X-MailFrom: sjg@chromium.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
banned-address; emergency; member-moderation; nonmember-moderation;
administrivia; implicit-dest; max-recipients; max-size; news-moderation;
no-subject; digests; suspicious-header
CC: Simon Glass <simon.glass@canonical.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 00/14] luks: Integrate support for a TKey
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At:
<https://lists.u-boot.org/archives/list/concept@u-boot.org/message/YFUPGJSJ5PBTD645X4MQX2C3ODXSUQSV/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
|
| Series |
luks: Integrate support for a TKey
|
|
Message
Simon Glass
Nov. 16, 2025, 9:23 p.m. UTC
This series illustrates how to use a Tillitis TKey to unlock an encrypted disk. This has the advantage that the key depends on a physical key in the user's posession as well as the usual passphrase. The TKey handles the key derivation, so this series includes logic to skip that step when a TKey is used. The 'luks unlock' command provides a -t flag to use a TKey. It also provides a small pytest fix to ease conflicts with Labgrid integration. Simon Glass (14): test/py: Avoid pulling in Labgrid with tests luks: Make essiv_decrypt() a shared function luks: Tidy up debugging of unlock luks: Update try_keyslot() to allow a bytestring luks: Update unlock_luks2() to take binary passphrase luks: Update luks_unlock() to take binary passphrase luks: Extract PBKDF2 key derivation into separate function luks: Move key derivation to the caller of try_keyslot() luks: Split LUKSv1 unlock code into a separate function luks: Support a pre-derived key with LUKSv1 luks: Support a pre-derived key with LUKSv2 luks: Support a pre-derived key luks: Check for out-of-memory with Argon2 luks: Support disk unlock using a TKey cmd/luks.c | 94 +++++++++- doc/usage/cmd/luks.rst | 36 +++- drivers/block/luks.c | 316 ++++++++++++++++++++-------------- drivers/block/luks2.c | 141 ++++++--------- drivers/block/luks_internal.h | 28 ++- include/luks.h | 4 +- test/boot/luks.c | 4 +- test/py/pytest.ini | 1 + 8 files changed, 384 insertions(+), 240 deletions(-)