diff mbox series

[Concept,20/24] luks: Show the JSON information for LUKSv2

Message ID	20251031065439.3251464-21-sjg@u-boot.org
State	New
Headers	From: Simon Glass <sjg@u-boot.org> To: U-Boot Concept <concept@u-boot.org> Date: Fri, 31 Oct 2025 00:54:16 -0600 Message-ID: <20251031065439.3251464-21-sjg@u-boot.org> In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org> References: <20251031065439.3251464-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: BEDQVWAU6C7ZFPM5ZOOCUYW6C6TCLF73 CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com> Precedence: list Subject: [Concept] [PATCH 20/24] luks: Show the JSON information for LUKSv2 Archived-At: <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/BEDQVWAU6C7ZFPM5ZOOCUYW6C6TCLF73/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	luks: Provide basic support for unlocking a LUKS1 partition \| [Concept,00/24] luks: Provide basic support for unlocking a LUKS1 partition [Concept,01/24] aes: Fix key size handling for AES-192 and AES-256 [Concept,02/24] doc: Provide documentation for the blkmap command [Concept,03/24] log: Provide a macro to log a hex string [Concept,04/24] panic: Provide a way to poweroff on panic [Concept,05/24] sandbox: Enable CONFIG_PANIC_POWEROFF [Concept,06/24] sandbox: Add devon and devoff subcommands to sb command [Concept,07/24] mbedtls: hash: Provide the mbedtls hash type in the hash interface [Concept,08/24] mbedtls: Allow use of PKCS#5 functions [Concept,09/24] test/py: Support creating space after a filesystem [Concept,10/24] test/py: Support FDE with the extlinux image [Concept,11/24] test/py: Set up an Ubuntu image with space for FDE [Concept,12/24] docker: Add cryptsetup package for LUKS testing [Concept,13/24] CI: Update Docker image to including luks tools [Concept,14/24] luks: Add a way to create an encrypted partition [Concept,15/24] luks: Encrypt the mmc11 test image [Concept,16/24] luks: Add the beginning of LUKS support [Concept,17/24] luks: Add a simple command [Concept,18/24] luks: Create a very simple JSON library [Concept,19/24] luks: Create a disk image with LUKS2 encryption [Concept,20/24] luks: Show the JSON information for LUKSv2 [Concept,21/24] luks: Enhance blkmap to support LUKSv1 [Concept,22/24] luks: Provide a way to unlock and map encrypted partitions [Concept,23/24] luks: Add a subcommand to unlock an encrypted partition

Commit Message

Simon Glass Oct. 31, 2025, 6:54 a.m. UTC

  From: Simon Glass <sjg@chromium.org>

Extract the full information for version 2, which is JSON format. Show
this with the 'luks info' command.

Use the mmc12 disk to check this.

Require the JSON for LUKS.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 doc/usage/cmd/luks.rst |  29 ++++++++++
 drivers/block/Kconfig  |   1 +
 drivers/block/luks.c   |  23 ++++++++
 test/boot/luks.c       | 118 ++++++++++++++++++++++++++++++++++++++---
 4 files changed, 165 insertions(+), 6 deletions(-)

diff mbox series

Patch

diff --git a/doc/usage/cmd/luks.rst b/doc/usage/cmd/luks.rst
index b88fcd96439..c3b03eeff2e 100644
--- a/doc/usage/cmd/luks.rst
+++ b/doc/usage/cmd/luks.rst
@@ -106,6 +106,35 @@  Display LUKS header information for a LUKS2 partition::
     Label:
     Checksum alg:   sha256
 
+    JSON metadata (12288 bytes):
+    {
+      "keyslots": {
+        "0": {
+          "type": "luks2",
+          "key_size": 64,
+          "kdf": {
+            "type": "argon2id",
+            "time": 6,
+            "memory": 1048576,
+            "cpus": 4,
+            ...
+          },
+          ...
+        }
+      },
+      "tokens": {},
+      "segments": {
+        "0": {
+          "type": "crypt",
+          "offset": "16777216",
+          "encryption": "aes-xts-plain64",
+          ...
+        }
+      },
+      "digests": { ... },
+      "config": { ... }
+    }
+
 Display LUKS header information for a LUKS1 partition::
 
     => luks info mmc 1:1
diff --git a/drivers/block/Kconfig b/drivers/block/Kconfig
index b07012ec7c9..34cd2ee8e59 100644
--- a/drivers/block/Kconfig
+++ b/drivers/block/Kconfig
@@ -278,6 +278,7 @@  config BLK_LUKS
 	select SHA256
 	select PBKDF2
 	select PKCS5_MBEDTLS if MBEDTLS_LIB_CRYPTO
+	select JSON
 	help
 	  This provides support for detecting and decrypting LUKS (Linux Unified
 	  Key Setup) encrypted partitions. LUKS is a disk encryption specification
diff --git a/drivers/block/luks.c b/drivers/block/luks.c
index 597359b98ff..c43cb9a3dd3 100644
--- a/drivers/block/luks.c
+++ b/drivers/block/luks.c
@@ -8,6 +8,7 @@ 
 #include <blk.h>
 #include <dm.h>
 #include <hexdump.h>
+#include <json.h>
 #include <log.h>
 #include <luks.h>
 #include <memalign.h>
@@ -103,6 +104,28 @@  int luks_show_info(struct udevice *blk, struct disk_partition *pinfo)
 		printf("UUID:           %.40s\n", luks2_hdr->uuid);
 		printf("Label:          %.48s\n", luks2_hdr->label);
 		printf("Checksum alg:   %.32s\n", luks2_hdr->csum_alg);
+
+		if (IS_ENABLED(CONFIG_JSON)) {
+			u64 json_size;
+			char *json_start;
+			int blocks;
+
+			/* Read the full header to get JSON area */
+			blocks = (hdr_size + desc->blksz - 1) / desc->blksz;
+			ALLOC_CACHE_ALIGN_BUFFER(unsigned char, full_hdr, blocks * desc->blksz);
+
+			if (blk_read(blk, pinfo->start, blocks, full_hdr) != blocks) {
+				printf("Error: failed to read full LUKS2 header\n");
+				return -EIO;
+			}
+
+			/* JSON starts after the 4096-byte binary header */
+			json_start = (char *)(full_hdr + 4096);
+			json_size = hdr_size - 4096;
+
+			printf("\nJSON metadata (%llx bytes):\n", json_size);
+			json_print_pretty(json_start, (int)json_size);
+		}
 	} else {
 		printf("Unknown LUKS version\n");
 		return -EPROTONOSUPPORT;
diff --git a/test/boot/luks.c b/test/boot/luks.c
index fadd3819ffe..70ee0fb0824 100644
--- a/test/boot/luks.c
+++ b/test/boot/luks.c
@@ -20,19 +20,49 @@ 
 
 DECLARE_GLOBAL_DATA_PTR;
 
-/* Common function to setup mmc11 device */
-static int setup_mmc11(struct unit_test_state *uts, struct udevice **mmcp)
+/**
+ * setup_mmc_device() - Set up an MMC device for testing
+ *
+ * This function binds and probes an MMC device specified by its device tree
+ * node name. It is used to prepare MMC devices containing test disk images
+ * with various configurations (e.g., LUKS1, LUKS2 encryption).
+ *
+ * @uts: Unit test state
+ * @node_name: Name of the device tree node (e.g., "mmc11", "mmc12")
+ * @mmcp: Returns pointer to the MMC device
+ * Return: 0 if OK, -ve on error
+ */
+static int setup_mmc_device(struct unit_test_state *uts, const char *node_name,
+			    struct udevice **mmcp)
 {
+	struct udevice *mmc;
 	ofnode root, node;
 
-	/* Enable the mmc11 node */
+	/* Enable the specified mmc node */
 	root = oftree_root(oftree_default());
-	node = ofnode_find_subnode(root, "mmc11");
+	node = ofnode_find_subnode(root, node_name);
 	ut_assert(ofnode_valid(node));
-	ut_assertok(lists_bind_fdt(gd->dm_root, node, mmcp, NULL, false));
+	ut_assertok(lists_bind_fdt(gd->dm_root, node, &mmc, NULL, false));
 
 	/* Probe the device */
-	ut_assertok(device_probe(*mmcp));
+	ut_assertok(device_probe(mmc));
+	*mmcp = mmc;
+
+	return 0;
+}
+
+/* Setup mmc11 device */
+static int setup_mmc11(struct unit_test_state *uts, struct udevice **mmcp)
+{
+	ut_assertok(setup_mmc_device(uts, "mmc11", mmcp));
+
+	return 0;
+}
+
+/* Setup mmc12 device */
+static int setup_mmc12(struct unit_test_state *uts, struct udevice **mmcp)
+{
+	ut_assertok(setup_mmc_device(uts, "mmc12", mmcp));
 
 	return 0;
 }
@@ -107,3 +137,79 @@  static int bootstd_test_luks_info(struct unit_test_state *uts)
 	return 0;
 }
 BOOTSTD_TEST(bootstd_test_luks_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKSv2 detection on mmc12 partitions */
+static int bootstd_test_luks2_detect(struct unit_test_state *uts)
+{
+	struct disk_partition info;
+	struct blk_desc *desc;
+	struct udevice *mmc;
+	int ret;
+
+	ut_assertok(setup_mmc12(uts, &mmc));
+	desc = blk_get_by_device(mmc);
+	ut_assertnonnull(desc);
+	ut_assertnonnull(desc->bdev);
+
+	/* Check partition 1 - should NOT be LUKS */
+	ut_assertok(part_get_info(desc, 1, &info));
+	ret = luks_detect(desc->bdev, &info);
+	ut_assert(ret < 0);  /* Should fail - not LUKS */
+
+	/* Check partition 2 - should BE LUKS */
+	ut_assertok(part_get_info(desc, 2, &info));
+	ut_assertok(luks_detect(desc->bdev, &info));
+
+	/* Verify it's LUKS version 2 */
+	ut_asserteq(2, luks_get_version(desc->bdev, &info));
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks2_detect, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKSv2 command on mmc12 partitions */
+static int bootstd_test_luks2_cmd(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc12(uts, &mmc));
+
+	/* Test partition 1 - should NOT be LUKS */
+	ut_asserteq(1, run_command("luks detect mmc c:1", 0));
+	ut_assert_nextlinen("Not a LUKS partition (error -");
+	ut_assert_console_end();
+
+	/* Test partition 2 - should BE LUKS */
+	ut_assertok(run_command("luks detect mmc c:2", 0));
+	ut_assert_nextline("LUKS2 encrypted partition detected");
+	ut_assert_console_end();
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks2_cmd, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKSv2 info command on mmc12 partition 2 */
+static int bootstd_test_luks2_info(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc12(uts, &mmc));
+
+	/* Test partition 2 LUKS info */
+	ut_assertok(run_command("luks info mmc c:2", 0));
+	ut_assert_nextline("Version:        2");
+	ut_assert_nextlinen("Header size:");
+	ut_assert_nextlinen("Sequence ID:");
+	ut_assert_nextlinen("UUID:");
+	ut_assert_nextlinen("Label:");
+	ut_assert_nextlinen("Checksum alg:");
+
+	/* Verify JSON metadata section is present (skip empty line first) */
+	ut_assert_skip_to_line("");
+	ut_assert_nextlinen("JSON metadata (");
+	ut_assert_nextline("{");
+	/* JSON output varies and there is little value in checking it here */
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks2_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);