From patchwork Sun Nov 16 21:23:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 720 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org Authentication-Results: mail.u-boot.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=hgFnXg78; dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id A8AE6685F2 for ; Sun, 16 Nov 2025 14:24:06 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id pUUCJt-dRRpt for ; Sun, 16 Nov 2025 14:24:06 -0700 (MST) Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 989CF685C8 for ; Sun, 16 Nov 2025 14:24:06 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 80715685C1 for ; Sun, 16 Nov 2025 14:24:04 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id h--Q_iOJY0Tj for ; Sun, 16 Nov 2025 14:24:04 -0700 (MST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.166.43; helo=mail-io1-f43.google.com; envelope-from=sjg@chromium.org; receiver=u-boot.org Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43]) by mail.u-boot.org (Postfix) with ESMTPS id BD4FA685BF for ; Sun, 16 Nov 2025 14:23:58 -0700 (MST) Received: by mail-io1-f43.google.com with SMTP id ca18e2360f4ac-94861514a5cso289424339f.1 for ; Sun, 16 Nov 2025 13:23:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1763328237; x=1763933037; darn=u-boot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=817GTrkM4W1obeC1cfpVyI/joIo3aKJqVJtKyyFPmZ0=; b=hgFnXg784nJK8rdlhU7E/HerqxFlfQ8Cz2g0Fn96bK8Ey4jy8P8F32ucFyNI0WUsU6 LuMZPT6yf97hWZlrOhgnOGh/akyGWl1SO52CjptTyafdaOEtQH8GplJbsoT4Y8lDc3UG tyqJk+c3ernJ11fxhMbcv7tFg5E0Xks4XDasw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763328237; x=1763933037; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=817GTrkM4W1obeC1cfpVyI/joIo3aKJqVJtKyyFPmZ0=; b=iExEs62xVVZJyTUpiJ2kGCFpMfE6O+EcjtUNEQV+LFM0JBOUWv2YubCd6lAORMoO8P VQ8gbiMd252G6y1YQ1UAz2fLTh/bAX5mL4JGrTZikXSS1Xvlu0Xgo73Mpn2Si47Om5+k o1w55cOF2oTx6LK/+Hq8RZcX5DEOf4l2awyKi2J7kWTgpRdYC4rt91DARcIqTm7pKf/d yFakRUqp3C0FZkWYtyulvU7rhKMaDcoo3AXBbxnuuiN0FC6Zww7uAqILD9Oz/cRME/AC Fhb0ZnaCo2vRVOVxDu6o9Q3+gnwNZxa8psjAFrOgtOUckIfNUtZubXZOu0TU5gBTLrz/ gHSQ== X-Gm-Message-State: AOJu0Yzk4gBIpf/JvqFYuidmAOFNQlIydb8/j3Pv90Irwr0FnhCyhypJ PCfdTP2PFFylgCi6x2p/e6nJUv/fSAz7vYpYiIpnzQ/txMKRLwKfiBrkRngTzONpA8zHrPGSDHX k62I= X-Gm-Gg: ASbGncu3YIybWuOSYPDYelWu6YMvDmtHXBIe7YjI7b20QbQ3qDI02ryPaxoXWPtCoFF QewUSXVg4o5MEj8HOZAvwEc9sa4NMWUA11zdCIeBhFkCpWyVP8H5ZqOSEUHVS27R/0WuN2SFE1Q dIfE1x6QwrqAWdC4oViGKy+vdBdvK5erwIvh/XcBqDDii+H4OeFNU4k7vM0NJLUsRK8LAuTCKDo gcDcJ0XbijGAp3Y+uHydn2e2Hfl3NAb6cEm1YUAJ4WsdaNeVDxwmOSOWrGpAZnRh6UT2aXhK3zB B5kLHrsOD/PKmVJooAiLvNlqWvQcPOfkOOvRMdhl5qH8iH17EYXSOnpKRJxJ4PwXjhUX7A8cD5w Rz/qPxqeVSjfTkKpuuW1FWZsrFHMi0Zqvdm1RpQMBy0hxukKlctw0X7X6MpfoLYu9paHWdwmXDI OaaNfYV/g4gi9yPQNk X-Google-Smtp-Source: AGHT+IFTeK75TuqGJ1kSopCd98rNY7UPvNlYUlKRrL0C3/WG4OJNiZMwPDeoLicUdXrrvYGS5hj/bA== X-Received: by 2002:a02:c042:0:b0:5ad:751:f088 with SMTP id 8926c6da1cb9f-5b7c9df4947mr4962409173.13.1763328237237; Sun, 16 Nov 2025 13:23:57 -0800 (PST) Received: from chromium.org ([73.34.74.121]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-948d2d162dcsm577962339f.13.2025.11.16.13.23.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Nov 2025 13:23:55 -0800 (PST) From: Simon Glass X-Google-Original-From: Simon Glass To: U-Boot Concept Date: Sun, 16 Nov 2025 14:23:20 -0700 Message-ID: <20251116212334.1603490-7-simon.glass@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251116212334.1603490-1-simon.glass@canonical.com> References: <20251116212334.1603490-1-simon.glass@canonical.com> MIME-Version: 1.0 Message-ID-Hash: LMF56DECFEKKKWORAQ5MUFIAMGOMVGUR X-Message-ID-Hash: LMF56DECFEKKKWORAQ5MUFIAMGOMVGUR X-MailFrom: sjg@chromium.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 06/14] luks: Update luks_unlock() to take binary passphrase List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Update luks_unlock() to accept a binary passphrase, to match the LUKS2 implementation. Co-developed-by: Claude Signed-off-by: Simon Glass --- cmd/luks.c | 4 ++-- drivers/block/luks.c | 14 +++++++------- include/luks.h | 4 +++- test/boot/luks.c | 4 ++-- 4 files changed, 14 insertions(+), 12 deletions(-) diff --git a/cmd/luks.c b/cmd/luks.c index c1e8035e685..defd987776d 100644 --- a/cmd/luks.c +++ b/cmd/luks.c @@ -88,8 +88,8 @@ static int do_luks_unlock(struct cmd_tbl *cmdtp, int flag, int argc, printf("Unlocking LUKS%d partition...\n", version); /* Unlock the partition to get the master key */ - ret = luks_unlock(dev_desc->bdev, &info, passphrase, master_key, - &key_size); + ret = luks_unlock(dev_desc->bdev, &info, (const u8 *)passphrase, + strlen(passphrase), master_key, &key_size); if (ret) { printf("Failed to unlock LUKS partition (err %dE)\n", ret); return CMD_RET_FAILURE; diff --git a/drivers/block/luks.c b/drivers/block/luks.c index 93b50dd105a..96180d39b4e 100644 --- a/drivers/block/luks.c +++ b/drivers/block/luks.c @@ -415,7 +415,8 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo, } int luks_unlock(struct udevice *blk, struct disk_partition *pinfo, - const char *pass, u8 *master_key, u32 *key_size) + const u8 *pass, size_t pass_len, u8 *master_key, + u32 *key_size) { uint version, split_key_size, km_blocks, hdr_blocks; u8 *split_key, *derived_key; @@ -452,8 +453,8 @@ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo, version = be16_to_cpu(*(__be16 *)(buffer + LUKS_MAGIC_LEN)); if (version == LUKS_VERSION_2) - return unlock_luks2(blk, pinfo, (const u8 *)pass, strlen(pass), - master_key, key_size); + return unlock_luks2(blk, pinfo, pass, pass_len, master_key, + key_size); if (version != LUKS_VERSION_1) { log_debug("unsupported LUKS version %d\n", version); @@ -516,10 +517,9 @@ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo, /* Try each key slot */ for (i = 0; i < LUKS_NUMKEYS; i++) { - ret = try_keyslot(blk, pinfo, hdr, i, (const u8 *)pass, - strlen(pass), md_type, *key_size, - derived_key, km, km_blocks, split_key, - candidate_key); + ret = try_keyslot(blk, pinfo, hdr, i, pass, pass_len, md_type, + *key_size, derived_key, km, km_blocks, + split_key, candidate_key); if (!ret) { /* Successfully unlocked */ diff --git a/include/luks.h b/include/luks.h index 6c39db7a2d2..8826fa96507 100644 --- a/include/luks.h +++ b/include/luks.h @@ -146,6 +146,7 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo); * @blk: Block device * @pinfo: Partition information * @pass: Passphrase to unlock the partition + * @pass_len: Length of the passphrase in bytes * @master_key: Buffer to receive the decrypted master key * @key_size: Size of the master_key buffer * Return: 0 on success, @@ -157,7 +158,8 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo); * -EIO if failed to read from block device */ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo, - const char *pass, u8 *master_key, u32 *key_size); + const u8 *pass, size_t pass_len, u8 *master_key, + u32 *key_size); /** * luks_create_blkmap() - Create a blkmap device for a LUKS partition diff --git a/test/boot/luks.c b/test/boot/luks.c index 6bf613f3b08..93cc8ce6681 100644 --- a/test/boot/luks.c +++ b/test/boot/luks.c @@ -274,8 +274,8 @@ static int bootstd_test_luks2_unlock(struct unit_test_state *uts) /* Test that unlock fails for partition 1 (not LUKS) */ ut_assertok(part_get_info(desc, 1, &info)); - ut_asserteq(-ENOENT, luks_unlock(desc->bdev, &info, "test", master_key, - &key_size)); + ut_asserteq(-ENOENT, luks_unlock(desc->bdev, &info, (const u8 *)"test", + 4, master_key, &key_size)); /* Test unlocking partition 2 with correct passphrase */ ut_assertok(run_command("luks unlock mmc c:2 test", 0));