From patchwork Tue Nov 11 12:41:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 680 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864954; bh=BjJriXhsd/i3FV/rTHq2syvLvq1mJ8BWOon5NYYvvA8=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=IkecAJcrNbDHFFFj734Uf/LTjw2cgpy8DKvoo++jQmIkfO26vvlOlHEtxF11i2J3v KsQFldAzUxkfUiM8Kd6SmD3wWyvXZfsqgKhQYk6LszSlbo7rhoWSkA1p3nfrlfhDB8 CVEdLXcGevtsGvENt5L3KsykNKeWOFHfJwC5uXD70K2YmYVWEwewPhPy3SCs5e+5jT 5hD7g90bmxMyuxqu0UNrx8R2eAOatms5yScQaixxAIN6pB4hYOcmZ5e3/ww2XFIR2f 4QXO35+60pAcF3c8gEFlPg5EZ2EtlFsonS/9xTn/Yo9HPEoIeolelgzR4vx7EiuOZe EghDq3RBGPdCw== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 69002684E7 for ; Tue, 11 Nov 2025 05:42:34 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id dNodlt8RmZIf for ; Tue, 11 Nov 2025 05:42:34 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864952; bh=BjJriXhsd/i3FV/rTHq2syvLvq1mJ8BWOon5NYYvvA8=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=CFLltSxzq9BqCOK0aZmSH99hTUwLGe8wq9tsZDajKs8he6+b/kC6Y38hcsQij+Hk9 AVW5qQZ48lneRhdxiaGWgoL8/UH2UU8obhpdL3gAxkD8RxzgUJlQtX1zRoWKlqfj/H 4YQif5MEAU+LBWbnvZ806QvCqJaZRv+wF60bT13tHnf44VO29hevOSeKmd9XC/RSmF IVFrCc5LEl0uZE6QCan1zkijLToO/JofZCyGxWMlm7Vx3hTZmY8MRDVx2gSHv0xJtS JLm9SAdsaQ5Ju/HxR5GAv4jhkUHrM465pLiXRSbnqajAdqE/iQ091EMR6gpIOyowtY W2gZwrcgLjgdw== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 673DB68484 for ; Tue, 11 Nov 2025 05:42:32 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864951; bh=qLeefS57+ZrGbueB8QRNGuca6rxsLdUfp43aHyKWQSs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UsWpT+SuTkjRqhrHHXbJoy0EffHSpmqW0mmUBj4WImgfMJKSkq7j3Zw+KT5iy29DI 7d6aR1MjahGFtLEl5fSXyEwIZJoq7HBQphIHRCgDrMZ+zUBP2O9hEFeyacAtkYwvRQ Y3i5GC1Mw/mSfwcBTE9/t/aAuOyl/Q5LjgQIe1ksSKfok8fM9BxeDmg9L37pbxnQSk rXh3fkzbl3fkXKmlDs8o1SKI76ZFl2ap0ZMTm8bydn0UIkeLdTWm3vuTup4eLiC/Kc pk51NV9gBobXS7ZCsl+GAXKo1Z2TCxwHdUdwcubsYmkPrHREkYeea64IfgiY+dJWNz hIaZOu3Wl8mJg== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 0BCDB684C9; Tue, 11 Nov 2025 05:42:31 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id KAdYqqaHsD2n; Tue, 11 Nov 2025 05:42:30 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864950; bh=wH+CEiD7mGW7UPjTvouxu1Z6sR8yv9mryuMMP+miNHg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l5TeBau055gFsmsmQ1FW51k5DFdJ1Nu7UytVX4KNZG6DOHnyTeG0Ihh2tO26aUOdv Q/N3Odeu6ZBT1BXmL2hcIOIBB2ZfIs/fO0rwg1/s/gKTErv5z15khjIxhgOsZTzXCb yr5epxJXlVHkllXa6k8lYZd6Ftn44xkGKZ92fkqRaNp2auVlaU3cWtC8hepHbTC0Ns Ks2D0XqEKpARvIcIBm0BIjmIUgHSww8OYqvB8foBH8wienczOgYeHr6ZTwtKoQwxOi RfT4Iakq1I+3B4jrizOOcIcquGNV7IcQIV2QFJPNNNfuJnsc5M2aXugdytMXaRIppv y9bZQegX/vxWA== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 72A566841A; Tue, 11 Nov 2025 05:42:30 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Tue, 11 Nov 2025 05:41:15 -0700 Message-ID: <20251111124131.1198930-10-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251111124131.1198930-1-sjg@u-boot.org> References: <20251111124131.1198930-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: WUSCD2RFHOKRR5OWSUWZZHE2D6CEBU5T X-Message-ID-Hash: WUSCD2RFHOKRR5OWSUWZZHE2D6CEBU5T X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Heinrich Schuchardt , Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 09/15] test: Add a way to create a LUKS2 partition with XTS List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass For LUKS version 2, argon is normally used in preference to pbkdf2. Add an argument to specify this when creating a filesystem. Co-developed-by: Claude Signed-off-by: Simon Glass --- test/py/tests/fs_helper.py | 40 ++++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/test/py/tests/fs_helper.py b/test/py/tests/fs_helper.py index 4812d3f053b..d88cc270b95 100644 --- a/test/py/tests/fs_helper.py +++ b/test/py/tests/fs_helper.py @@ -54,12 +54,20 @@ class FsHelper: fsh.mk_fs() # Creates and encrypts the filesystem with LUKS1 ... + To create an encrypted LUKS2 partition with Argon2id: + + with FsHelper(ubman.config, 'ext4', 10, 'mmc1', + passphrase='test', luks_kdf='argon2id') as fsh: + # create files in the fsh.srcdir directory + fsh.mk_fs() # Creates and encrypts the FS with LUKS2+Argon2 + ... + Properties: fs_img (str): Filename for the filesystem image; this is set to a default value but can be overwritten """ def __init__(self, config, fs_type, size_mb, prefix, part_mb=None, - passphrase=None, luks_version=2): + passphrase=None, luks_version=2, luks_kdf='pbkdf2'): """Set up a new object Args: @@ -74,6 +82,8 @@ class FsHelper: passphrase (str, optional): If provided, encrypt the filesystem with LUKS using this passphrase luks_version (int): LUKS version to use (1 or 2). Defaults to 2. + luks_kdf (str): Key derivation function for LUKS2: 'pbkdf2' or + 'argon2id'. Defaults to 'pbkdf2'. Ignored for LUKS1. """ if ('fat' not in fs_type and 'ext' not in fs_type and fs_type not in ['exfat', 'fs_generic']): @@ -87,6 +97,7 @@ class FsHelper: self.quiet = True self.passphrase = passphrase self.luks_version = luks_version + self.luks_kdf = luks_kdf # Use a default filename; the caller can adjust it leaf = f'{prefix}.{fs_type}.img' @@ -238,13 +249,26 @@ class FsHelper: try: # Format as LUKS (version determined by luks_type) - run(['cryptsetup', 'luksFormat', - '--type', luks_type, - '--cipher', cipher, - '--key-size', key_size_str, - '--hash', hash_alg, - '--iter-time', '10', # Very fast for testing (low security) - luks_img], + cmd = ['cryptsetup', 'luksFormat', + '--type', luks_type, + '--cipher', cipher, + '--key-size', key_size_str, + '--hash', hash_alg, + '--iter-time', '10'] # Very fast for testing (low security) + + # For LUKS2, specify the KDF (pbkdf2 or argon2id) + if self.luks_version == 2: + cmd.extend(['--pbkdf', self.luks_kdf]) + # For Argon2, use low memory/time settings suitable for testing + if self.luks_kdf == 'argon2id': + cmd.extend([ + '--pbkdf-memory', '65536', # 64MB + '--pbkdf-parallel', '4', + ]) + + cmd.append(luks_img) + + run(cmd, input=f'{passphrase}\n'.encode(), stdout=DEVNULL if self.quiet else None, stderr=DEVNULL if self.quiet else None,