From patchwork Sun Nov 16 21:23:21 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@chromium.org>
X-Patchwork-Id: 721
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
Authentication-Results: mail.u-boot.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256
 header.s=google header.b=h/80qwzK;
	dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 072AD685C6
	for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:24:09 -0700 (MST)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id F2Fprh39fN8f for <u-boot-concept@u-boot.org>;
 Sun, 16 Nov 2025 14:24:08 -0700 (MST)
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 6D905685F2
	for <u-boot-concept@u-boot.org>; Sun, 16 Nov 2025 14:24:07 -0700 (MST)
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 89A56685BF
	for <concept@u-boot.org>; Sun, 16 Nov 2025 14:24:04 -0700 (MST)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 9-1oa0RyxHtk for <concept@u-boot.org>;
 Sun, 16 Nov 2025 14:24:04 -0700 (MST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.166.44;
 helo=mail-io1-f44.google.com; envelope-from=sjg@chromium.org;
 receiver=u-boot.org
Received: from mail-io1-f44.google.com (mail-io1-f44.google.com
 [209.85.166.44])
	by mail.u-boot.org (Postfix) with ESMTPS id D5747685EA
	for <concept@u-boot.org>; Sun, 16 Nov 2025 14:24:01 -0700 (MST)
Received: by mail-io1-f44.google.com with SMTP id
 ca18e2360f4ac-94903ea3766so36817639f.3
        for <concept@u-boot.org>; Sun, 16 Nov 2025 13:24:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1763328240; x=1763933040; darn=u-boot.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=y83xvCGFcDAVbWjPQRduD+nbD/YVk/tXuRhRGGlM22Q=;
        b=h/80qwzKEQI5pN5mp2jP1BUj+f7jNdMN5Ie/P6wG3rmC1d9Da32WzxC94vx3muL/Dy
         Lpdp8EBtngwX9TqoLOKuUXznIhXz/aAMGIfSLeS9Dr489BjhK7SOrGKFdyrYSAEGy0uG
         N9gAXahnw3oBSeBUTXrrVlm8UIM0KjG0XcIeY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763328240; x=1763933040;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=y83xvCGFcDAVbWjPQRduD+nbD/YVk/tXuRhRGGlM22Q=;
        b=ar4PAZTimxxCPBev7spU+c9D6PUzZCjUq4J+St4DEvBRgaS9h079TSaUZVc1P9A3pi
         vyFY8MByj1y5eFGDcuhOjozL4JwfR90NhFbUlUTRSa6uR3P7W6GRCwwDBxCVEgUJoW5h
         oFpKs+/cdF7TUhkfrhZDUISkvjUB1Yky5O/P8PMZaXBIVICVPUV+4jas/fQD7xAmOu0u
         RT4uxVve5aE5KI+VFO3L4yqYZrOFK2BL2S6+L2raBaEUlJUf+HxxsyY2y59hNodeDVM5
         F6sz6IgmlFgIJlVuf9jn2Jp3YdE9hVx76bNctBEPiVAnI6pzotUy7Om0aIR76qyEg+it
         cXjQ==
X-Gm-Message-State: AOJu0YxxAwPBGaf60ai9vy5Kq+spYpbp75OJfeJKkUcTzRvAr8BVsOCL
	d0DPmho5Cw3syYtlJpkwYmk+eRTrP8f1gpxSX9zjnImRoIR3YuALgmEHu4dt1Vr02U4aAsDIR/F
	HpPk=
X-Gm-Gg: ASbGnctEG6XrCdpkhZrOuvPRNKS252w0hPbomlw+rKSyv6bZzwSDLC87kBQJ3Yhgo6e
	/5h+/00F9LuIfyEO1ceQMQhkEtEzid/S6xvHTRIRykA0/xmeFtKdEvg1uDySq3ZLSd7BJDnTv38
	ojf30KYJOlBEnVtxWpDeCvdbShouMyPZ69xVnZtAxUXx2sK8gH94H1Vf2xGgwLvK4k/94Bq1w4e
	XGlliXrKlY5CcqPXBlQrkdFoekuJ6OaR6alsz9xAxkA9TjsupmJWtgE0hJKfhu/PpVfGZf/4gWe
	QFWRYQcHopD55X8QQQbsEzxrsN7r0VdovdAP1Mx4P8e5z19TMNrNEGl3CqWsdi1QBwIAT3Fw7Eo
	eJP0t81k+OinRuDxrcxhGxnudEdHIWauQYl22GtrITkaNn4mG1NWjl++VVGOFzLN+7LKTom8qzB
	Z0hpXz2ywQfXpenMSF3jbgaHX6JiQ=
X-Google-Smtp-Source: 
 AGHT+IFZ8zmQyN/QSBg/T+zR5XfRVNNtXvMaakufiJH/eUHElYXMxcgESJ0mOyWmgcKkfVnvME3bzw==
X-Received: by 2002:a05:6638:650f:b0:5b7:d710:661a with SMTP id
 8926c6da1cb9f-5b7d7106700mr5969061173.21.1763328240199;
        Sun, 16 Nov 2025 13:24:00 -0800 (PST)
Received: from chromium.org ([73.34.74.121])
        by smtp.gmail.com with ESMTPSA id
 ca18e2360f4ac-948d2d162dcsm577962339f.13.2025.11.16.13.23.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 16 Nov 2025 13:23:58 -0800 (PST)
From: Simon Glass <sjg@chromium.org>
X-Google-Original-From: Simon Glass <simon.glass@canonical.com>
To: U-Boot Concept <concept@u-boot.org>
Date: Sun, 16 Nov 2025 14:23:21 -0700
Message-ID: <20251116212334.1603490-8-simon.glass@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251116212334.1603490-1-simon.glass@canonical.com>
References: <20251116212334.1603490-1-simon.glass@canonical.com>
MIME-Version: 1.0
Message-ID-Hash: FUREF4N6POCE4OVMED25WDWBVIWNLYXK
X-Message-ID-Hash: FUREF4N6POCE4OVMED25WDWBVIWNLYXK
X-MailFrom: sjg@chromium.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <simon.glass@canonical.com>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 07/14] luks: Extract PBKDF2 key derivation into
 separate
 function
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/FUREF4N6POCE4OVMED25WDWBVIWNLYXK/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

Create a new derive_key_pbkdf2() function to handle key derivation, to
allow this be called from other places and to reduce the size of
try_keyslot()

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
---

 drivers/block/luks.c | 56 ++++++++++++++++++++++++++++++++------------
 1 file changed, 41 insertions(+), 15 deletions(-)

diff --git a/drivers/block/luks.c b/drivers/block/luks.c
index 96180d39b4e..48f281ef77c 100644
--- a/drivers/block/luks.c
+++ b/drivers/block/luks.c
@@ -287,6 +287,42 @@ void essiv_decrypt(const u8 *derived_key, uint key_size, u8 *expkey,
 	}
 }
 
+/**
+ * derive_key_pbkdf2() - Derive key from passphrase using PBKDF2
+ *
+ * @slot:		LUKS keyslot containing salt and iteration count
+ * @pass:		Passphrase
+ * @pass_len:		Length of passphrase
+ * @md_type:		Hash algorithm type
+ * @key_size:		Size of the key to derive
+ * @derived_key:	Buffer for derived key (key_size bytes)
+ * Return: 0 on success, -EPROTO on error
+ */
+static int derive_key_pbkdf2(struct luks1_keyslot *slot, const u8 *pass,
+			     size_t pass_len, mbedtls_md_type_t md_type,
+			     uint key_size, u8 *derived_key)
+{
+	uint iters = be32_to_cpu(slot->iterations);
+	int ret;
+
+	/* Derive key from passphrase using PBKDF2 */
+	log_debug("PBKDF2(pass len=%zu, ", pass_len);
+	log_debug_hex("salt[0-7]", (u8 *)slot->salt, 8);
+	log_debug("iter %u, keylen %u)\n", iters, key_size);
+	ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, pass, pass_len,
+					    (const u8 *)slot->salt,
+					    LUKS_SALTSIZE, iters,
+					    key_size, derived_key);
+	if (ret) {
+		log_debug("PBKDF2 failed: %d\n", ret);
+		return -EPROTO;
+	}
+
+	log_debug_hex("derived_key[0-7]", derived_key, 8);
+
+	return 0;
+}
+
 /**
  * try_keyslot() - Unlock a LUKS key slot with a passphrase
  *
@@ -315,7 +351,7 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
 		       uint km_blocks, u8 *split_key, u8 *candidate_key)
 {
 	struct luks1_keyslot *slot = &hdr->key_slot[slot_idx];
-	uint iters, km_offset, stripes, split_key_size;
+	uint km_offset, stripes, split_key_size;
 	struct blk_desc *desc = dev_get_uclass_plat(blk);
 	u8 expkey[AES256_EXPAND_KEY_LENGTH];
 	u8 key_digest[LUKS_DIGESTSIZE];
@@ -328,25 +364,15 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
 
 	log_debug("trying key slot %d (pass len=%zu)...\n", slot_idx, pass_len);
 
-	iters = be32_to_cpu(slot->iterations);
 	km_offset = be32_to_cpu(slot->key_material_offset);
 	stripes = be32_to_cpu(slot->stripes);
 	split_key_size = key_size * stripes;
 
 	/* Derive key from passphrase using PBKDF2 */
-	log_debug("PBKDF2(pass len=%zu, ", pass_len);
-	log_debug_hex("salt[0-7]", (u8 *)slot->salt, 8);
-	log_debug("iter %u, keylen %u)\n", iters, key_size);
-	ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, pass, pass_len,
-					    (const u8 *)slot->salt,
-					    LUKS_SALTSIZE, iters,
-					    key_size, derived_key);
-	if (ret) {
-		log_debug("PBKDF2 failed: %d\n", ret);
-		return -EPROTO;
-	}
-
-	log_debug_hex("derived_key[0-7]", derived_key, 8);
+	ret = derive_key_pbkdf2(slot, pass, pass_len, md_type, key_size,
+				derived_key);
+	if (ret)
+		return ret;
 
 	/* Read encrypted key material */
 	ret = blk_read(blk, pinfo->start + km_offset, km_blocks, km);