From patchwork Sun Nov 16 21:23:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@chromium.org>
X-Patchwork-Id: 51
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
Authentication-Results: mail.u-boot.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256
 header.s=google header.b=AzORcXl+;
	dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id E5212685FE
	for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:23:48 -0700 (MST)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id PmUr0aG3SmPm for <u-boot-concept@u-boot.org>;
 Sun, 16 Nov 2025 14:23:48 -0700 (MST)
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id CFF32685D7
	for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:23:48 -0700 (MST)
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 9438D685D7
	for <concept@u-boot.org>; Sun, 16 Nov 2025 14:23:46 -0700 (MST)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 9L4Aa7eXW_vv for <concept@u-boot.org>;
 Sun, 16 Nov 2025 14:23:46 -0700 (MST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.166.54;
 helo=mail-io1-f54.google.com; envelope-from=sjg@chromium.org;
 receiver=u-boot.org
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com
 [209.85.166.54])
	by mail.u-boot.org (Postfix) with ESMTPS id 8BC9A684C5
	for <concept@u-boot.org>; Sun, 16 Nov 2025 14:23:42 -0700 (MST)
Received: by mail-io1-f54.google.com with SMTP id
 ca18e2360f4ac-94863b3620cso276632839f.3
        for <concept@u-boot.org>; Sun, 16 Nov 2025 13:23:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1763328221; x=1763933021; darn=u-boot.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=00fGko6PjiSMI8/FcpVUVVjM/OjY6tPHdd7OzKfQZ3o=;
        b=AzORcXl+QryV3xchYjgWuxAgiZ+gc82Cn9aiRoQSb3UOruUj/l3r2sJiwei5vICGGW
         8XUzv16Q/MKsoDaVhLhdeR2TiBJi3UtpoA1988ICijM2Nk0MTgtbotpFLZZ8PDcmtZWy
         SZ+TvJzXSSGxwjuCIIN758HDOGfT/yDzRBUGk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763328221; x=1763933021;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=00fGko6PjiSMI8/FcpVUVVjM/OjY6tPHdd7OzKfQZ3o=;
        b=XxW96g8Q/AeVBmnGhqTH882kViZJHTqnmJ/UTLBxdXXz/+r7WSLK4u01Jz58oY8GHo
         BpEOoUDwnqTrj4TZP4bpd+lFwYj3wue+MAwpVyEsY4rLwu1WBnS4eM2dNlqFM0SAfbnY
         7h4tk3hCDNvAfmHlKJ+YpzDUZzcXmMazKrRqi+CkO1gdZeV8MOvrotVhFpzGHxkPFyGO
         ouy+LRni0IIlBDBPxd5F4JPtCnYLqEwiYs53cdbS4tVDDsFOYiBgyCpTY5+DCAGhMTGD
         rvdtjcSflUdyMyR7hwvFB8aPzE7fF1waiy6SdBOYTz28wWAW+JgaDwKU6JpHjUkTNlI6
         MuBQ==
X-Gm-Message-State: AOJu0YwJtJe6x/FERu0zyPYFnZC5H8MQEQT88NVN90cWrzUe3dhzz/TF
	+QalXUM+/+Aev6dg1zBIYyhAI+TMaDMQMIZgSNyYkxRrM/yXOGlAXLZ4d4rP2dQVWgOZu4IQGoC
	gEUI=
X-Gm-Gg: ASbGncuYyn956mcAiBLG3vk/l+3PsZXd43GSmDjiy0brPw1vs66iS4oehimzyiFgPQH
	pRVb6npsMQOQT+FkqUicbrBMZAoe3PPd0oiYlxAT/+a19AWBu3CE43H3NPT7jiQRDl2SVAXhVhq
	BVfaARnl2Gc4LB0RBlLKB1/Krj0gwnUReuPNrxjOeq0A2FJpwW3FHVXXKzdvkrttvWwqG09VAM2
	q2jiaq66bvXdcBLDekjdoI8+UyEGU3UeKv/eRva+duLgfY59TxXa1IkK34PshezzQbqvGFaK/LK
	4C00JO/7t1IGGsB9aaqWxWTwes1zIzDKsDovsoDA4OPD6gYsZAb1rIoAHy2JEV2e7n+U5eyLU4j
	UTr6Luv0P5uuZWnarAzpEkjisovQ5UFtfNgxvrRM5LsxA8Og7C6+vXdCNiRJzHeJ/mrmm/QY3U5
	zq+f8DnXn7rItVbz1W
X-Google-Smtp-Source: 
 AGHT+IFgmJzDAz44p+1bgClloDAUkABj185mzrPgnfA/IhCXvx0yZaP/06Xyo63p6RxLHWqJjtNaMA==
X-Received: by 2002:a05:6602:148e:b0:949:93e:bbd with SMTP id
 ca18e2360f4ac-949093e2ad0mr203608439f.8.1763328220853;
        Sun, 16 Nov 2025 13:23:40 -0800 (PST)
Received: from chromium.org ([73.34.74.121])
        by smtp.gmail.com with ESMTPSA id
 ca18e2360f4ac-948d2d162dcsm577962339f.13.2025.11.16.13.23.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 16 Nov 2025 13:23:39 -0800 (PST)
From: Simon Glass <sjg@chromium.org>
X-Google-Original-From: Simon Glass <simon.glass@canonical.com>
To: U-Boot Concept <concept@u-boot.org>
Date: Sun, 16 Nov 2025 14:23:14 -0700
Message-ID: <20251116212334.1603490-1-simon.glass@canonical.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Message-ID-Hash: YFUPGJSJ5PBTD645X4MQX2C3ODXSUQSV
X-Message-ID-Hash: YFUPGJSJ5PBTD645X4MQX2C3ODXSUQSV
X-MailFrom: sjg@chromium.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <simon.glass@canonical.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 00/14] luks: Integrate support for a TKey
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/YFUPGJSJ5PBTD645X4MQX2C3ODXSUQSV/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

This series illustrates how to use a Tillitis TKey to unlock an
encrypted disk. This has the advantage that the key depends on a
physical key in the user's posession as well as the usual passphrase.

The TKey handles the key derivation, so this series includes logic to
skip that step when a TKey is used.

The 'luks unlock' command provides a -t flag to use a TKey.

It also provides a small pytest fix to ease conflicts with Labgrid
integration.


Simon Glass (14):
  test/py: Avoid pulling in Labgrid with tests
  luks: Make essiv_decrypt() a shared function
  luks: Tidy up debugging of unlock
  luks: Update try_keyslot() to allow a bytestring
  luks: Update unlock_luks2() to take binary passphrase
  luks: Update luks_unlock() to take binary passphrase
  luks: Extract PBKDF2 key derivation into separate function
  luks: Move key derivation to the caller of try_keyslot()
  luks: Split LUKSv1 unlock code into a separate function
  luks: Support a pre-derived key with LUKSv1
  luks: Support a pre-derived key with LUKSv2
  luks: Support a pre-derived key
  luks: Check for out-of-memory with Argon2
  luks: Support disk unlock using a TKey

 cmd/luks.c                    |  94 +++++++++-
 doc/usage/cmd/luks.rst        |  36 +++-
 drivers/block/luks.c          | 316 ++++++++++++++++++++--------------
 drivers/block/luks2.c         | 141 ++++++---------
 drivers/block/luks_internal.h |  28 ++-
 include/luks.h                |   4 +-
 test/boot/luks.c              |   4 +-
 test/py/pytest.ini            |   1 +
 8 files changed, 384 insertions(+), 240 deletions(-)