From patchwork Sun Nov 16 21:23:26 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@chromium.org>
X-Patchwork-Id: 726
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
Authentication-Results: mail.u-boot.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256
 header.s=google header.b=Lic/m1Ak;
	dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 36A796864C
	for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:24:20 -0700 (MST)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id OTemXEPCu4dH for <u-boot-concept@u-boot.org>;
 Sun, 16 Nov 2025 14:24:20 -0700 (MST)
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 2572D684C5
	for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:24:20 -0700 (MST)
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 0CF60685BF
	for <concept@u-boot.org>; Sun, 16 Nov 2025 14:24:18 -0700 (MST)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id PLhjer4yS1s8 for <concept@u-boot.org>;
 Sun, 16 Nov 2025 14:24:17 -0700 (MST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.166.51;
 helo=mail-io1-f51.google.com; envelope-from=sjg@chromium.org;
 receiver=u-boot.org
Received: from mail-io1-f51.google.com (mail-io1-f51.google.com
 [209.85.166.51])
	by mail.u-boot.org (Postfix) with ESMTPS id C410A684C5
	for <concept@u-boot.org>; Sun, 16 Nov 2025 14:24:15 -0700 (MST)
Received: by mail-io1-f51.google.com with SMTP id
 ca18e2360f4ac-948614ceac0so144673939f.0
        for <concept@u-boot.org>; Sun, 16 Nov 2025 13:24:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1763328254; x=1763933054; darn=u-boot.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=KAL6EpicLQrWkaFzkhghZzlHtLaIhqVWgZ2NUJh+1G4=;
        b=Lic/m1AkZUmwarKq4oSvRZlYNLoEv8xMQDYEc9lLT/QKDtzL5kjN7oC2tb+19PRP43
         bneeDpf91dGd4+SHYPs0N0SvL314j07g/zQaZ6nqpH1S9/P3v1EltzsC73/FxubzV6sX
         otKAfdfOlmng0bL8Z4XCjbBLjfs9H9sqg20Jg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763328254; x=1763933054;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=KAL6EpicLQrWkaFzkhghZzlHtLaIhqVWgZ2NUJh+1G4=;
        b=fCn1vN9vv9CsDuo95CUxKKFvkcprb1sUKxgBeehakeFvm88ePZ5bay7589PPYLJPGP
         Rz18H2Rn/LcvHisgIXGsiI9+CJ58b0Hm5IWQvJiwJO7gNuSI+Ap1CyXmV+Vx2604YLBn
         PI+XMNAdTdUDmPjPnmN2rZ/LPJ+yexOb4Crj3a86px2vX0ufLcZgVn89367zKN3h05zO
         R/mXiDa4lRD0d9GRjB7mP8Swrvi5h4qvdQfEixrQsF6YRYShDxQf6XLwrSnlx263evzQ
         DKg26EVaaPPS3qdHA9knoTkZVYabu0lm0c9JFmyCrS2ZDtYdcazFU7e1iqLet5uiXcTi
         S+cw==
X-Gm-Message-State: AOJu0YxHJotT7gcS9/QbAN6rKODuZGb0cGDnHZczPqs3x6Rd6PiLlUqQ
	aNDtvFxooVNgUxC2OcRJOR9pnEuckWZjz+i9l5QNw4rF6iPRCJfGusrrc+ZTnJ2Anwg6v2iNKLK
	kq7c=
X-Gm-Gg: ASbGncu0lR8oG8yyuI38Tb6xv8axj3vXJo8I3uJeHVsVvGWBrqsKsZJ7Lgqyd5oOsHT
	2UfUmR/1eO81pnRUOfXRJ5oqb9mswSdrlw4U9eGNmzftgc3enndTpFBjOKuvQ4ENas3K7Obs+jy
	QYycYn6RhPtBZmkg7bEOifhuB1lJNajQlRFK1v/yIpfgyN3MUViXQtIjGiNLovx814naZGgjaxj
	Wc+YTyTza7VNNUhL6GuasLx9bbpQTpzKc5NmuY1/zroodwyg9fyUYcqQi1T4YogOG8zn6BVDPCs
	Kjv6o/1wmp43PAhsOfCq6o8X1V4DKLkSgl4qd/liDFFTMOGQdDTKJwTRNBxQdTqR3xpj03IjIik
	6YnUDWYbZjsG2PZnMhFh5DJQTUg/8nVElZVObY6saYHlz+4Atg2UwjJdPVks0sXn84pJWZztrcN
	2lsWlMUgxrPejeKl3M
X-Google-Smtp-Source: 
 AGHT+IH0/QG80eJDIRoUED8CtwQgqLpCdFQddd4MM/u2ee/OlL/IwZBSnO/Hox4HjWWBzkJz/AxABw==
X-Received: by 2002:a05:6638:4e2d:b0:5b7:135f:57d6 with SMTP id
 8926c6da1cb9f-5b7c9e1c78cmr5617233173.17.1763328254375;
        Sun, 16 Nov 2025 13:24:14 -0800 (PST)
Received: from chromium.org ([73.34.74.121])
        by smtp.gmail.com with ESMTPSA id
 ca18e2360f4ac-948d2d162dcsm577962339f.13.2025.11.16.13.24.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 16 Nov 2025 13:24:13 -0800 (PST)
From: Simon Glass <sjg@chromium.org>
X-Google-Original-From: Simon Glass <simon.glass@canonical.com>
To: U-Boot Concept <concept@u-boot.org>
Date: Sun, 16 Nov 2025 14:23:26 -0700
Message-ID: <20251116212334.1603490-13-simon.glass@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251116212334.1603490-1-simon.glass@canonical.com>
References: <20251116212334.1603490-1-simon.glass@canonical.com>
MIME-Version: 1.0
Message-ID-Hash: HUYAN7YL5XUMMSFKUYX5IZPFPGXUVI3V
X-Message-ID-Hash: HUYAN7YL5XUMMSFKUYX5IZPFPGXUVI3V
X-MailFrom: sjg@chromium.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <simon.glass@canonical.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 12/14] luks: Support a pre-derived key
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/HUYAN7YL5XUMMSFKUYX5IZPFPGXUVI3V/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

Update luks_unlock() to support a pre-derived key, such as that obtained
from a TKey. This must match the key_size of the LUKS partition,
otherwise it will fail to unlock.

Signed-off-by: Simon Glass <simon.glass@canonical.com>
---

 cmd/luks.c           |  2 +-
 drivers/block/luks.c | 11 ++++++-----
 include/luks.h       |  4 ++--
 test/boot/luks.c     |  2 +-
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/cmd/luks.c b/cmd/luks.c
index defd987776d..47d3e5bed7b 100644
--- a/cmd/luks.c
+++ b/cmd/luks.c
@@ -89,7 +89,7 @@ static int do_luks_unlock(struct cmd_tbl *cmdtp, int flag, int argc,
 
 	/* Unlock the partition to get the master key */
 	ret = luks_unlock(dev_desc->bdev, &info, (const u8 *)passphrase,
-			  strlen(passphrase), master_key, &key_size);
+			  strlen(passphrase), false, master_key, &key_size);
 	if (ret) {
 		printf("Failed to unlock LUKS partition (err %dE)\n", ret);
 		return CMD_RET_FAILURE;
diff --git a/drivers/block/luks.c b/drivers/block/luks.c
index 3fc54dbbb9a..10ef4a2e31a 100644
--- a/drivers/block/luks.c
+++ b/drivers/block/luks.c
@@ -590,7 +590,8 @@ out:
 }
 
 int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
-		const u8 *pass, size_t pass_len, u8 *master_key, u32 *key_sizep)
+		const u8 *pass, size_t pass_len, bool pre_derived,
+		u8 *master_key, u32 *key_sizep)
 {
 	uint version, hdr_blocks;
 	struct luks1_phdr *hdr;
@@ -625,12 +626,12 @@ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
 	switch (version) {
 	case LUKS_VERSION_1:
 		hdr = (struct luks1_phdr *)buffer;
-		ret = unlock_luks1(blk, pinfo, hdr, pass, pass_len, master_key,
-				   false, key_sizep);
+		ret = unlock_luks1(blk, pinfo, hdr, pass, pass_len,
+				   pre_derived, master_key, key_sizep);
 		break;
 	case LUKS_VERSION_2:
-		ret = unlock_luks2(blk, pinfo, pass, pass_len, master_key,
-				   key_sizep);
+		ret = unlock_luks2(blk, pinfo, pass, pass_len, pre_derived,
+				   master_key, key_sizep);
 		break;
 	default:
 		log_debug("unsupported LUKS version %d\n", version);
diff --git a/include/luks.h b/include/luks.h
index 8826fa96507..da9be12e2a3 100644
--- a/include/luks.h
+++ b/include/luks.h
@@ -158,8 +158,8 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo);
  *		-EIO if failed to read from block device
  */
 int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
-		const u8 *pass, size_t pass_len, u8 *master_key,
-		u32 *key_size);
+		const u8 *pass, size_t pass_len, bool pre_derived,
+		u8 *master_key, u32 *key_size);
 
 /**
  * luks_create_blkmap() - Create a blkmap device for a LUKS partition
diff --git a/test/boot/luks.c b/test/boot/luks.c
index 93cc8ce6681..dfd6f7b411c 100644
--- a/test/boot/luks.c
+++ b/test/boot/luks.c
@@ -275,7 +275,7 @@ static int bootstd_test_luks2_unlock(struct unit_test_state *uts)
 	/* Test that unlock fails for partition 1 (not LUKS) */
 	ut_assertok(part_get_info(desc, 1, &info));
 	ut_asserteq(-ENOENT, luks_unlock(desc->bdev, &info, (const u8 *)"test",
-					 4, master_key, &key_size));
+					 4, false, master_key, &key_size));
 
 	/* Test unlocking partition 2 with correct passphrase */
 	ut_assertok(run_command("luks unlock mmc c:2 test", 0));