From patchwork Fri Oct 31 06:54:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 669 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893786; bh=1WNu/0fkn/NpUjZHKFh9lBajdjt13qYcXAIAhcHvaEY=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=fZB0FJt9VOmgDk6UADrALautGa+N8NcTQqm+Ueh23Q5TqxjLTSGMQCQUkYxJwNM8A WmwVE1jTqBAxHnnPJItqWdVR6Fi6hLngmEjSJTjDaOBeJoB5Cw4uvoQyg13P1SXzfX kPuh0yWjV+OKLn7fOtmzyyRelXp9atzpYHsjroSHBwHC4rTr8gbvq0i/gP3uvmQl9A T33Zjk/ysXsU0Q/dxxpny+Iw12DYXJ1K8696AM61LOkjF71iUTybV5w30XzlojL6Am Wdz/MbnXs8+8CGxDo++THA98mbhkr78mrbWm+/yDDQ4ojCshPbOeoAgcCg5F+VUjts 510gtlthXWDEA== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 7956D68326 for ; Fri, 31 Oct 2025 00:56:26 -0600 (MDT) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id fUVAS1wA9tq1 for ; Fri, 31 Oct 2025 00:56:26 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893786; bh=1WNu/0fkn/NpUjZHKFh9lBajdjt13qYcXAIAhcHvaEY=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=fZB0FJt9VOmgDk6UADrALautGa+N8NcTQqm+Ueh23Q5TqxjLTSGMQCQUkYxJwNM8A WmwVE1jTqBAxHnnPJItqWdVR6Fi6hLngmEjSJTjDaOBeJoB5Cw4uvoQyg13P1SXzfX kPuh0yWjV+OKLn7fOtmzyyRelXp9atzpYHsjroSHBwHC4rTr8gbvq0i/gP3uvmQl9A T33Zjk/ysXsU0Q/dxxpny+Iw12DYXJ1K8696AM61LOkjF71iUTybV5w30XzlojL6Am Wdz/MbnXs8+8CGxDo++THA98mbhkr78mrbWm+/yDDQ4ojCshPbOeoAgcCg5F+VUjts 510gtlthXWDEA== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 67A355FBA9 for ; Fri, 31 Oct 2025 00:56:26 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893783; bh=tNzNVZUF0Ok65yYwczU5MH/gE0OjXpj8gEXtGmkQqJk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fPGezQlWDfLmA+BWbZrsbf9Aw3dN9syDkdV+V1AVdeTB3ffYwG2JKqgWbhBL5HPKj VrtdwGnWr/2d7HlOHp9f1bziCZj8hjgaRJ4NC2IGsd/PaX2YcxEX4+4FQD7uFxSCo6 T6TiGfhR7FG//rTAsSSZOr79sW5t+45BIbHNfMIFLf8SssFsr3UzG4ls3Rg2gIZYbt SFRHw3BZfpK+52nTFtKWxyNKbqEur7lrUjbcA9yZDLHxdJWCmw/mIyM99bJXSd5sA1 aXUIHXMmPoWrObUAt1zQ0CDksa7jUgDlrxyUvsD/+F8FlKSYdBoYWx6VBcraJvrL5g Dh7NKTFqSSx1w== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id DC71A68316; Fri, 31 Oct 2025 00:56:23 -0600 (MDT) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id H7yRSAeGrFfk; Fri, 31 Oct 2025 00:56:23 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1761893778; bh=0zaZD5NU1j+hwQx90qUjzSKDkx1jmG65Y1aHCY/xYyk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jEBSaRoSM79eb7J5C7IUtpyyS9AFbnq0yQWJoWhlWBIBck6Uj88YX+5Fm1xNQTkYO Ppvs3hiVgV8JIZ9tLATCpW6G+x2Md+9ERXTAkU2P7N8Hx7EHvPtdS97iMqGvHVRONz vj+pq/IhMkc9iYmv9rmxcC3Wp89hKQeTNi4DnziThMukJVUE0sUNH8ypstirKLorIl sZPSMBwECnEPddYYxTtq4R9iPUoYOqWj49/2wlY5BALbzJSnpyPpBwbDBJfQdvtUe/ 6t9K6qEZPvyuNbKx4/eE/fFD64o0InIgjQIBzTHfyMPZnhkYXIss5mgM0NzeUyK+NR QMhvjnnS6lA7Q== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 081E95FBA9; Fri, 31 Oct 2025 00:56:17 -0600 (MDT) From: Simon Glass To: U-Boot Concept Date: Fri, 31 Oct 2025 00:54:15 -0600 Message-ID: <20251031065439.3251464-20-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org> References: <20251031065439.3251464-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: 6OYY73ZS2JX44WTNIN363UNKJPEFFG7M X-Message-ID-Hash: 6OYY73ZS2JX44WTNIN363UNKJPEFFG7M X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 19/24] luks: Create a disk image with LUKS2 encryption List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass Add a new mmc12 image which has a LUKS2-encrypted ext4 partition. Co-developed-by: Claude Signed-off-by: Simon Glass --- arch/sandbox/dts/test.dts | 8 ++++++ test/py/img/common.py | 7 ++--- test/py/img/ubuntu.py | 4 +-- test/py/tests/fs_helper.py | 53 +++++++++++++++++++++++++++----------- test/py/tests/test_ut.py | 3 ++- 5 files changed, 54 insertions(+), 21 deletions(-) diff --git a/arch/sandbox/dts/test.dts b/arch/sandbox/dts/test.dts index 9b0a5736cf8..1d0ebc33387 100644 --- a/arch/sandbox/dts/test.dts +++ b/arch/sandbox/dts/test.dts @@ -49,6 +49,7 @@ mmc9 = "/mmc9"; mmc10 = "/mmc10"; mmc11 = "/mmc11"; + mmc12 = "/mmc12"; pci0 = &pci0; pci1 = &pci1; pci2 = &pci2; @@ -1207,6 +1208,13 @@ filename = "mmc11.img"; }; + /* This is used for LUKS version 2 tests */ + mmc12 { + status = "disabled"; + compatible = "sandbox,mmc"; + filename = "mmc12.img"; + }; + pch { compatible = "sandbox,pch"; }; diff --git a/test/py/img/common.py b/test/py/img/common.py index 01745ce73b3..3b3fdb2734b 100644 --- a/test/py/img/common.py +++ b/test/py/img/common.py @@ -33,7 +33,7 @@ def copy_partition(ubman, fsfile, outname): def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir, - script, part2_size=1, use_fde=False): + script, part2_size=1, use_fde=0): """Create a 20MB disk image with a single FAT partition Args: @@ -46,7 +46,7 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir, dtbdir (str or None): Devicetree filename script (str): Script to place in the extlinux.conf file part2_size (int): Size of second partition in MB (default: 1) - use_fde (bool): True to encrypt the ext4 partition with LUKS1 + use_fde (int): LUKS version for full-disk encryption (0=none, 1=LUKS1, 2=LUKS2) """ fsh = FsHelper(config, 'vfat', 18, prefix=basename) fsh.setup() @@ -82,7 +82,8 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir, ext4 = FsHelper(config, 'ext4', max(1, part2_size - 30), prefix=basename, part_mb=part2_size, - encrypt_passphrase='test' if use_fde else None) + encrypt_passphrase='test' if use_fde else None, + luks_version=use_fde if use_fde else 2) ext4.setup() bindir = os.path.join(ext4.srcdir, 'bin') diff --git a/test/py/img/ubuntu.py b/test/py/img/ubuntu.py index 58ee9f20277..b783f7eb3cf 100644 --- a/test/py/img/ubuntu.py +++ b/test/py/img/ubuntu.py @@ -7,7 +7,7 @@ from img.common import setup_extlinux_image def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS', - use_fde=False): + use_fde=0): """Create a Ubuntu disk image with a FAT partition and ext4 partition This creates a FAT partition containing extlinux files, kernel, etc. and a @@ -18,7 +18,7 @@ def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS', log (multiplexed_log.Logfile): Log to write to devnum (int): Device number to use, e.g. 1 basename (str): Base name to use in the filename, e.g. 'mmc' - use_fde (bool): True to set up full-disk encryption + use_fde (int): LUKS version for full-disk encryption (0=none, 1=LUKS1, 2=LUKS2) """ vmlinux = 'vmlinuz-6.8.0-53-generic' initrd = 'initrd.img-6.8.0-53-generic' diff --git a/test/py/tests/fs_helper.py b/test/py/tests/fs_helper.py index 49747be1788..914de09e381 100644 --- a/test/py/tests/fs_helper.py +++ b/test/py/tests/fs_helper.py @@ -38,12 +38,20 @@ class FsHelper: fsh.mk_fs() ... - To create an encrypted LUKS1 partition: + To create an encrypted LUKS2 partition (default): with FsHelper(ubman.config, 'ext4', 10, 'mmc1', encrypt_passphrase='test') as fsh: # create files in the fsh.srcdir directory - fsh.mk_fs() # Creates and encrypts the filesystem + fsh.mk_fs() # Creates and encrypts the filesystem with LUKS2 + ... + + To create an encrypted LUKS1 partition: + + with FsHelper(ubman.config, 'ext4', 10, 'mmc1', + encrypt_passphrase='test', luks_version=1) as fsh: + # create files in the fsh.srcdir directory + fsh.mk_fs() # Creates and encrypts the filesystem with LUKS1 ... Properties: @@ -51,7 +59,7 @@ class FsHelper: default value but can be overwritten """ def __init__(self, config, fs_type, size_mb, prefix, part_mb=None, - encrypt_passphrase=None): + encrypt_passphrase=None, luks_version=2): """Set up a new object Args: @@ -64,7 +72,8 @@ class FsHelper: to size_mb. This can be used to make the partition larger than the filesystem, to create space for disk-encryption metadata encrypt_passphrase (str, optional): If provided, encrypt the - filesystem with LUKS1 using this passphrase + filesystem with LUKS using this passphrase + luks_version (int): LUKS version to use (1 or 2). Defaults to 2. """ if ('fat' not in fs_type and 'ext' not in fs_type and fs_type not in ['exfat', 'fs_generic']): @@ -77,6 +86,7 @@ class FsHelper: self.prefix = prefix self.quiet = True self.encrypt_passphrase = encrypt_passphrase + self.luks_version = luks_version # Use a default filename; the caller can adjust it leaf = f'{prefix}.{fs_type}.img' @@ -166,11 +176,10 @@ class FsHelper: self.srcdir = self.tmpdir.name def encrypt_luks(self, passphrase): - """Encrypt the filesystem image with LUKS1 + """Encrypt the filesystem image with LUKS - This replaces the filesystem image with a LUKS1-encrypted version. - LUKS1 is used because U-Boot's unlock implementation currently only - supports LUKS version 1. + This replaces the filesystem image with a LUKS-encrypted version. + The LUKS version is determined by self.luks_version. Args: passphrase (str): Passphrase for the LUKS container @@ -180,11 +189,25 @@ class FsHelper: Raises: CalledProcessError: If cryptsetup is not available or fails + ValueError: If an unsupported LUKS version is specified """ - # LUKS1 encryption parameters - cipher = 'aes-cbc-essiv:sha256' - key_size = 256 - hash_alg = 'sha256' + # LUKS encryption parameters + if self.luks_version == 1: + # LUKS1 parameters + cipher = 'aes-cbc-essiv:sha256' + key_size = 256 + hash_alg = 'sha256' + luks_type = 'luks1' + elif self.luks_version == 2: + # LUKS2 parameters (modern defaults) + cipher = 'aes-xts-plain64' + key_size = 512 # XTS uses 512-bit keys (2x256) + hash_alg = 'sha256' + luks_type = 'luks2' + else: + raise ValueError(f"Unsupported LUKS version: {self.luks_version}") + + key_size_str = str(key_size) # Save the original filesystem image orig_fs_img = f'{self.fs_img}.orig' @@ -214,11 +237,11 @@ class FsHelper: stdout=DEVNULL, stderr=DEVNULL, check=False) try: - # Format as LUKS1 + # Format as LUKS (version determined by luks_type) run(['cryptsetup', 'luksFormat', - '--type', 'luks1', + '--type', luks_type, '--cipher', cipher, - '--key-size', str(key_size), + '--key-size', key_size_str, '--hash', hash_alg, '--iter-time', '10', # Very fast for testing (low security) luks_img], diff --git a/test/py/tests/test_ut.py b/test/py/tests/test_ut.py index 218f5a74ac1..94d98b3b73b 100644 --- a/test/py/tests/test_ut.py +++ b/test/py/tests/test_ut.py @@ -83,7 +83,8 @@ def test_ut_dm_init_bootstd(u_boot_config, u_boot_log): setup_ubuntu_image(u_boot_config, u_boot_log, 3, 'flash', '25.04') setup_localboot_image(u_boot_config, u_boot_log) setup_vbe_image(u_boot_config, u_boot_log) - setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=True) + setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=1) + setup_ubuntu_image(u_boot_config, u_boot_log, 12, 'mmc', use_fde=2) def test_ut(ubman, ut_subtest): """Execute a "ut" subtest.