@@ -49,6 +49,7 @@
mmc9 = "/mmc9";
mmc10 = "/mmc10";
mmc11 = "/mmc11";
+ mmc12 = "/mmc12";
pci0 = &pci0;
pci1 = &pci1;
pci2 = &pci2;
@@ -1207,6 +1208,13 @@
filename = "mmc11.img";
};
+ /* This is used for LUKS version 2 tests */
+ mmc12 {
+ status = "disabled";
+ compatible = "sandbox,mmc";
+ filename = "mmc12.img";
+ };
+
pch {
compatible = "sandbox,pch";
};
@@ -33,7 +33,7 @@ def copy_partition(ubman, fsfile, outname):
def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
- script, part2_size=1, use_fde=False):
+ script, part2_size=1, use_fde=0):
"""Create a 20MB disk image with a single FAT partition
Args:
@@ -46,7 +46,7 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
dtbdir (str or None): Devicetree filename
script (str): Script to place in the extlinux.conf file
part2_size (int): Size of second partition in MB (default: 1)
- use_fde (bool): True to encrypt the ext4 partition with LUKS1
+ use_fde (int): LUKS version for full-disk encryption (0=none, 1=LUKS1, 2=LUKS2)
"""
fsh = FsHelper(config, 'vfat', 18, prefix=basename)
fsh.setup()
@@ -82,7 +82,8 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
ext4 = FsHelper(config, 'ext4', max(1, part2_size - 30), prefix=basename,
part_mb=part2_size,
- encrypt_passphrase='test' if use_fde else None)
+ encrypt_passphrase='test' if use_fde else None,
+ luks_version=use_fde if use_fde else 2)
ext4.setup()
bindir = os.path.join(ext4.srcdir, 'bin')
@@ -7,7 +7,7 @@ from img.common import setup_extlinux_image
def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS',
- use_fde=False):
+ use_fde=0):
"""Create a Ubuntu disk image with a FAT partition and ext4 partition
This creates a FAT partition containing extlinux files, kernel, etc. and a
@@ -18,7 +18,7 @@ def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS',
log (multiplexed_log.Logfile): Log to write to
devnum (int): Device number to use, e.g. 1
basename (str): Base name to use in the filename, e.g. 'mmc'
- use_fde (bool): True to set up full-disk encryption
+ use_fde (int): LUKS version for full-disk encryption (0=none, 1=LUKS1, 2=LUKS2)
"""
vmlinux = 'vmlinuz-6.8.0-53-generic'
initrd = 'initrd.img-6.8.0-53-generic'
@@ -38,12 +38,20 @@ class FsHelper:
fsh.mk_fs()
...
- To create an encrypted LUKS1 partition:
+ To create an encrypted LUKS2 partition (default):
with FsHelper(ubman.config, 'ext4', 10, 'mmc1',
encrypt_passphrase='test') as fsh:
# create files in the fsh.srcdir directory
- fsh.mk_fs() # Creates and encrypts the filesystem
+ fsh.mk_fs() # Creates and encrypts the filesystem with LUKS2
+ ...
+
+ To create an encrypted LUKS1 partition:
+
+ with FsHelper(ubman.config, 'ext4', 10, 'mmc1',
+ encrypt_passphrase='test', luks_version=1) as fsh:
+ # create files in the fsh.srcdir directory
+ fsh.mk_fs() # Creates and encrypts the filesystem with LUKS1
...
Properties:
@@ -51,7 +59,7 @@ class FsHelper:
default value but can be overwritten
"""
def __init__(self, config, fs_type, size_mb, prefix, part_mb=None,
- encrypt_passphrase=None):
+ encrypt_passphrase=None, luks_version=2):
"""Set up a new object
Args:
@@ -64,7 +72,8 @@ class FsHelper:
to size_mb. This can be used to make the partition larger than
the filesystem, to create space for disk-encryption metadata
encrypt_passphrase (str, optional): If provided, encrypt the
- filesystem with LUKS1 using this passphrase
+ filesystem with LUKS using this passphrase
+ luks_version (int): LUKS version to use (1 or 2). Defaults to 2.
"""
if ('fat' not in fs_type and 'ext' not in fs_type and
fs_type not in ['exfat', 'fs_generic']):
@@ -77,6 +86,7 @@ class FsHelper:
self.prefix = prefix
self.quiet = True
self.encrypt_passphrase = encrypt_passphrase
+ self.luks_version = luks_version
# Use a default filename; the caller can adjust it
leaf = f'{prefix}.{fs_type}.img'
@@ -166,11 +176,10 @@ class FsHelper:
self.srcdir = self.tmpdir.name
def encrypt_luks(self, passphrase):
- """Encrypt the filesystem image with LUKS1
+ """Encrypt the filesystem image with LUKS
- This replaces the filesystem image with a LUKS1-encrypted version.
- LUKS1 is used because U-Boot's unlock implementation currently only
- supports LUKS version 1.
+ This replaces the filesystem image with a LUKS-encrypted version.
+ The LUKS version is determined by self.luks_version.
Args:
passphrase (str): Passphrase for the LUKS container
@@ -180,11 +189,25 @@ class FsHelper:
Raises:
CalledProcessError: If cryptsetup is not available or fails
+ ValueError: If an unsupported LUKS version is specified
"""
- # LUKS1 encryption parameters
- cipher = 'aes-cbc-essiv:sha256'
- key_size = 256
- hash_alg = 'sha256'
+ # LUKS encryption parameters
+ if self.luks_version == 1:
+ # LUKS1 parameters
+ cipher = 'aes-cbc-essiv:sha256'
+ key_size = 256
+ hash_alg = 'sha256'
+ luks_type = 'luks1'
+ elif self.luks_version == 2:
+ # LUKS2 parameters (modern defaults)
+ cipher = 'aes-xts-plain64'
+ key_size = 512 # XTS uses 512-bit keys (2x256)
+ hash_alg = 'sha256'
+ luks_type = 'luks2'
+ else:
+ raise ValueError(f"Unsupported LUKS version: {self.luks_version}")
+
+ key_size_str = str(key_size)
# Save the original filesystem image
orig_fs_img = f'{self.fs_img}.orig'
@@ -214,11 +237,11 @@ class FsHelper:
stdout=DEVNULL, stderr=DEVNULL, check=False)
try:
- # Format as LUKS1
+ # Format as LUKS (version determined by luks_type)
run(['cryptsetup', 'luksFormat',
- '--type', 'luks1',
+ '--type', luks_type,
'--cipher', cipher,
- '--key-size', str(key_size),
+ '--key-size', key_size_str,
'--hash', hash_alg,
'--iter-time', '10', # Very fast for testing (low security)
luks_img],
@@ -83,7 +83,8 @@ def test_ut_dm_init_bootstd(u_boot_config, u_boot_log):
setup_ubuntu_image(u_boot_config, u_boot_log, 3, 'flash', '25.04')
setup_localboot_image(u_boot_config, u_boot_log)
setup_vbe_image(u_boot_config, u_boot_log)
- setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=True)
+ setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=1)
+ setup_ubuntu_image(u_boot_config, u_boot_log, 12, 'mmc', use_fde=2)
def test_ut(ubman, ut_subtest):
"""Execute a "ut" subtest.