From patchwork Sat Nov 15 18:52:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 714 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1763232833; bh=k+jVuyiUFtar7D10G9u8dKiMKD22GZ8tw+mVPtnxvvg=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=aAchiCP9tql/qBuFkBfsOEhAp6OwAwAVyiBTMSKVRlP+DvUAzSxtUQOpc7fNuEy8R G+cZxF8jkj2bWGT9AnC57OpgCAtkyhpcvboKlMJsI2BM9R74u9UiUE2jxvZ5B3uYo2 NnERNdRWgsvCz3plpm3DHT73vMM/HMsMAlsCP/QOYIL3wevBUkgwT7jnxay18wVEUO gVbTuZvP2SPwfQDzgnukxVRElpXpWXJkntx7Nw/4+PMszV59ZWCPw9c4Hray9wyJ/J tGBqIM/ry9VbM1APkXORdpwpR/HJBE2FpoPmQxkeUde4QlnCHui+bbm/Edvrh1sZ9N dMDXpJumba1uw== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 852D36861A for ; Sat, 15 Nov 2025 11:53:53 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id pNoon2PsHhfP for ; Sat, 15 Nov 2025 11:53:53 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1763232832; bh=k+jVuyiUFtar7D10G9u8dKiMKD22GZ8tw+mVPtnxvvg=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=AlncD8lgigwu8VvjDE6eskkMrbKCjfWLpglYi6j+C7JUGSZaeUcX6yLZfsyY5yob8 m7SW4Aaxj+SExQCs9i2hL3WCIkpR3sN45ug9SjaEdEYzkow7XnKMX5KovG8gZQOcmq iTcxUB36rY4e4/nLFO8IZCxLMBIjOEaeTEmE84S8JqjT5/Of4q4oHyEf52mfV7o5g8 L1hh3ulsv59pWhF469BWVIHDtUqrhfBty+9rNQA10U/aKmZhHzFGWr3wsfSdELKfFW +0hhoB/6PD0OkODDtVdqknJ0m3AZeTyqS9/OXL15Xzm50WXYfxtrDU4jWUPW7KnOAG sdA0vlQt+rXrQ== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 9AA976861F for ; Sat, 15 Nov 2025 11:53:52 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1763232829; bh=dxvne/E8DqzFa/ZAFuJpMBBdBAkBpayaCfRmi5Fmv/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EfpKEbT35w+5nBsMlcCnzzoIz8mGbNqlT+2M56uxzka1jW4u7WwXZhslyhHEWT9Vw 0EV+Lk96e9oOayl2uj5b+7kxXjLJYJzS5D02zHT+06KftGFbj3yio7GRNnquFpYYWM unY099C0xjztJEYn4tW4jADp2vJP65jzym4YCj3c39V5JOiw7IXeGtswZGxLtFON2+ mxTJ8IWXFuJqXZzDQyIBEcrRx7I7dB2IBCBQq3+PioccylsaM8CLlM+DnsDzPx048r 50xqopFrVw+RHTV41oTiEZ1+KkoutrwdF2E04Wzu+PzhG6m2fZ6RKB1oKZ9LuL6VxB MWW6uw9i+IZuA== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id DA938685B1; Sat, 15 Nov 2025 11:53:49 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id AMXvYrS6BBDf; Sat, 15 Nov 2025 11:53:49 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1763232829; bh=MaVJv899AUJduH3nfzC6uuknNVlO7WTWsmBwyhFTtsM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A7wim8yZ1dd84o5FrP1yNlynnO8H3+b0s0mLKyUr6ePTczyxh8Dz/amSyUpUAkW6S hhWFftVPzoPTnVF3zpoa9HtdDl41v0FBTcM27WjMO+jPFpDsYZWc2gpIjAtAhdqkjt f9Jl8AO9At17iXtq4+Eh8EFLgAu8HWk0nD4Plo7RV5XfTyXbJMIuWw6rGoxWZqTOzu NY7Pg4fcSnwKJO9CkUpd4HDKjHnyO2PB8qs5+KACngQ1GkLnMDj2zYilj9aSobVfqt /YR95PS7p9h/0F25qFA+r+JHwyDZgvem47sQuZAaGAEWtP6lkl934meQzyPRkyuSdS 5AYsFHqyNGWKQ== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 5C05366654; Sat, 15 Nov 2025 11:53:49 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Sat, 15 Nov 2025 11:52:05 -0700 Message-ID: <20251115185212.539268-17-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251115185212.539268-1-sjg@u-boot.org> References: <20251115185212.539268-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: S2XALLFTA2ACMWOWLOZ5LK5SG6CBSBGI X-Message-ID-Hash: S2XALLFTA2ACMWOWLOZ5LK5SG6CBSBGI X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 16/16] boot: Detect encrypted partitions with extlinux List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass We don't have an explicit indication of whether the root disk is encrypted or not. For now, try to detect it and set the flag if found. Signed-off-by: Simon Glass --- boot/bootmeth_extlinux.c | 54 ++++++++++++++++++++++++++++++++++++++++ test/boot/bootflow.c | 38 ++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+) diff --git a/boot/bootmeth_extlinux.c b/boot/bootmeth_extlinux.c index 5a4fefbd868..0cc8c2bf9a5 100644 --- a/boot/bootmeth_extlinux.c +++ b/boot/bootmeth_extlinux.c @@ -17,9 +17,11 @@ #include #include #include +#include #include #include #include +#include #include static int extlinux_get_state_desc(struct udevice *dev, char *buf, int maxsize) @@ -64,6 +66,54 @@ static int extlinux_check(struct udevice *dev, struct bootflow_iter *iter) return 0; } +/** + * extlinux_check_luks() - Check for LUKS encryption on other partitions + * + * This scans all partitions on the same device to check for LUKS encryption. + * If found, it marks this bootflow as encrypted since it likely boots from + * an encrypted root partition. + * + * @bflow: Bootflow to potentially mark as encrypted + * Return: 0 on success, -ve on error + */ +static int extlinux_check_luks(struct bootflow *bflow) +{ + struct blk_desc *desc; + struct disk_partition info; + int ret, part; + + if (!IS_ENABLED(CONFIG_BLK_LUKS) || !bflow->blk) + return 0; + + desc = dev_get_uclass_plat(bflow->blk); + if (!desc || !desc->bdev) + return 0; + + /* + * Check all partitions on this device for LUKS encryption. + * Typically partition 1 has the bootloader files and partition 2 + * has the encrypted root filesystem. Check up to 10 partitions. + */ + for (part = 1; part <= 10; part++) { + ret = part_get_info(desc, part, &info); + if (ret) + continue; /* Partition doesn't exist */ + + ret = luks_detect(desc->bdev, &info); + if (!ret) { + int luks_ver = luks_get_version(desc->bdev, &info); + + log_debug("LUKS partition %d detected (v%d), marking bootflow as encrypted\n", + part, luks_ver); + bflow->flags |= BOOTFLOWF_ENCRYPTED; + bflow->luks_version = luks_ver; + return 0; + } + } + + return 0; +} + /** * extlinux_fill_info() - Decode the extlinux file to find out its info * @@ -158,6 +208,10 @@ static int extlinux_read_bootflow(struct udevice *dev, struct bootflow *bflow) if (ret) return log_msg_ret("inf", ret); + ret = extlinux_check_luks(bflow); + if (ret) + return log_msg_ret("luks", ret); + return 0; } diff --git a/test/boot/bootflow.c b/test/boot/bootflow.c index a1390ad9a6d..55f73cda3ef 100644 --- a/test/boot/bootflow.c +++ b/test/boot/bootflow.c @@ -1770,3 +1770,41 @@ static int bootflow_extlinux_localboot(struct unit_test_state *uts) return 0; } BOOTSTD_TEST(bootflow_extlinux_localboot, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE); + +/* Check 'bootflow info' with encrypted partition on mmc12 */ +static int bootflow_cmd_info_encrypted(struct unit_test_state *uts) +{ + /* Enable mmc12 which has LUKS encrypted partition and scan it */ + ut_assertok(scan_mmc_bootdev(uts, "mmc12", false)); + + /* Check for bootflows - should find one on mmc12 */ + ut_assertok(run_command("bootflow list", 0)); + ut_assert_nextline("Showing all bootflows"); + ut_assert_nextlinen("Seq"); + ut_assert_nextlinen("---"); + ut_assert_nextlinen(" 0 extlinux"); + ut_assert_nextline( + " 1 extlinux ready mmc 1 %c mmc12.bootdev.part_1 /extlinux/extlinux.conf", + IS_ENABLED(CONFIG_BLK_LUKS) ? 'E' : ' '); + ut_assert_nextline("--- ----------- ------ -------- ---- - ------------------------ ----------------"); + ut_assert_nextline("(2 bootflows, 2 valid)"); + ut_assert_console_end(); + + /* Select the mmc12 bootflow and check info shows encryption */ + ut_assertok(run_command("bootflow select 1", 0)); + ut_assert_console_end(); + ut_assertok(run_command("bootflow info", 0)); + ut_assert_nextline("Name: mmc12.bootdev.part_1"); + ut_assert_nextline("Device: mmc12.bootdev"); + ut_assert_nextline("Block dev: mmc12.blk"); + ut_assert_nextline("Method: extlinux"); + ut_assert_nextline("State: ready"); + ut_assert_nextline("Partition: 1"); + if (IS_ENABLED(CONFIG_BLK_LUKS)) + ut_assert_nextline("Encrypted: LUKSv2"); + ut_assert_skip_to_line("Error: 0"); + ut_assert_console_end(); + + return 0; +} +BOOTSTD_TEST(bootflow_cmd_info_encrypted, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);