From patchwork Mon Dec 8 02:32:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 849 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765161244; bh=rh/fYoA1w+is03j2FOnggPqmYqyhzTtIC5hEHDKASgE=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=Bp1IE5h95BEMILzh9F9RoaQFlCC/JBwTXwmBXxaQlKTzM+gLFWtV4TZOPiJ9U5+cx jl2gt5gotWhWyNK3NGfKIMzpcQUj7tLydh5W1oaiVccKgw3ZvE1ke3Mgw7aNkN9bgV xDP0X90oTqk/VfM4KXxv7/7tCaJ644VJauViT89CM0L/faQ9HBttG4FZRv6Sqb9NtQ Msn3L1tCyZ2qMejyexvd66Czsb3YbJsaNFRxC/YbUiT/2eMn26+qGM9sEvO2O4LYdz qjNTQawfLMu4L7NgUCOD10RBJfR9vhJe0So8rni1Od0w0hbHDHLp828YDvvrrXYxuq d5YtesYq+5oZA== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 54737689D0 for ; Sun, 7 Dec 2025 19:34:04 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id PSJ_wbA-a8PI for ; Sun, 7 Dec 2025 19:34:04 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765161244; bh=rh/fYoA1w+is03j2FOnggPqmYqyhzTtIC5hEHDKASgE=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=Bp1IE5h95BEMILzh9F9RoaQFlCC/JBwTXwmBXxaQlKTzM+gLFWtV4TZOPiJ9U5+cx jl2gt5gotWhWyNK3NGfKIMzpcQUj7tLydh5W1oaiVccKgw3ZvE1ke3Mgw7aNkN9bgV xDP0X90oTqk/VfM4KXxv7/7tCaJ644VJauViT89CM0L/faQ9HBttG4FZRv6Sqb9NtQ Msn3L1tCyZ2qMejyexvd66Czsb3YbJsaNFRxC/YbUiT/2eMn26+qGM9sEvO2O4LYdz qjNTQawfLMu4L7NgUCOD10RBJfR9vhJe0So8rni1Od0w0hbHDHLp828YDvvrrXYxuq d5YtesYq+5oZA== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 43B1F68900 for ; Sun, 7 Dec 2025 19:34:04 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765161243; bh=U7e5qEjdPElL3FhzaNJ1rMUEVUBHNThGob/QMn/9hMg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rs7jtgUoOb4Vv5o4zoEpqqiZdr7M4NugXD4EE6UWnEH+eDHodVpxqoxIetzvL1ptT 4p+o80uUBP58osxxUAfEmO7nLxFDi3BGSSUYffjuq2hiLhPLdf3QHNg8oUWNftQ+NB fGjCk5fCulRbczCpz1A9E6sMj07KfYef3CQ+651VM+mqObhi/xJ4aPR4Tim5Ck66nD YDNx+rFLIe4H0zPUWV6ZbURCSJ7XK8yP9CLdwCPqTzSjZXVuaswycj942SbcY2JPJ/ jUvSP8RSsz4kPtJUOmDfArF9bsoXCO7s8MxLPkYhv+G4CiTouszKVZQcI0dfh2hGGI t3R2bYiGzno/g== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 453E4689D0; Sun, 7 Dec 2025 19:34:03 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id rDZfaRfv2nm6; Sun, 7 Dec 2025 19:34:03 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765161238; bh=1sFld6fiW3imuDnpL1Pcb2Cg7kVAdbkx1jeUgGwGT3E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CECvU5mbvWQxchbPeZZEXuO+AHbm7XuSzlfgsewuvykNexfk8N3KB8j8xe32zjqwk JoHWiCQhidXmf+HDKftC5E6vhw5u2KGs4BU/kkfnT4Y3tRqMS86PUA/sitIP3LCO7a gtY3jozpLlp1d5HNB8CEjblY2AlymQzaGImS+pvLczG0jpZFJYUyZMq14tLly6OYuT fYwkOuEHgnQmdejqyYrgj1mHrKRDbYydqGNlZpyHEwhGaWw3ATtfUrxHEqACRPanbg htLOCRix2d5E/SkI3X9IV3n3WE+DrOmVorIUyQklsR5PvRv4OCFOJcjXEPRUXYWbDH DbqGonsaJYxIQ== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 5D4B66883E; Sun, 7 Dec 2025 19:33:58 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Sun, 7 Dec 2025 19:32:19 -0700 Message-ID: <20251208023229.3929910-17-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251208023229.3929910-1-sjg@u-boot.org> References: <20251208023229.3929910-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: VP5LUC2CXSJFMODMK7SDPU2TDXONPJ6J X-Message-ID-Hash: VP5LUC2CXSJFMODMK7SDPU2TDXONPJ6J X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 16/19] luks: Add -p flag for pre-derived master key List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass Add a -p flag to the luks unlock command that allows passing a hex-encoded pre-derived master key, skipping the KDF step. This is useful when the master key has been derived externally, such as from a hardware security module. Adjust the normal flow (without -p) to use a key derived on the TKey output. While that works OK with LUKS1, the 32-byte value is not long enough to work with LUKS2. Update the documentation to describe the new flag. Co-developed-by: Claude Signed-off-by: Simon Glass --- cmd/luks.c | 42 +++++++++++++++++++++++++++++++----------- doc/usage/cmd/luks.rst | 18 ++++++++++++++++-- 2 files changed, 47 insertions(+), 13 deletions(-) diff --git a/cmd/luks.c b/cmd/luks.c index ec4d400b44e..31805ffa5ad 100644 --- a/cmd/luks.c +++ b/cmd/luks.c @@ -85,10 +85,10 @@ static int unlock_with_tkey(struct blk_desc *dev_desc, printf("Using TKey for disk encryption key\n"); /* Find TKey device */ - ret = uclass_first_device_err(UCLASS_TKEY, &tkey_dev); - if (ret) { - printf("Failed to find TKey device (err %dE)\n", ret); - return ret; + tkey_dev = tkey_get_device(); + if (!tkey_dev) { + printf("Failed to find TKey device\n"); + return -ENOENT; } /* Derive disk key using TKey with passphrase as USS */ @@ -113,7 +113,7 @@ static int unlock_with_tkey(struct blk_desc *dev_desc, TKEY_DISK_KEY_SIZE, false); ret = luks_unlock(dev_desc->bdev, info, tkey_disk_key, - TKEY_DISK_KEY_SIZE, true, master_key, key_size); + TKEY_DISK_KEY_SIZE, false, master_key, key_size); /* Wipe TKey disk key */ memset(tkey_disk_key, '\0', sizeof(tkey_disk_key)); @@ -129,14 +129,21 @@ static int do_luks_unlock(struct cmd_tbl *cmdtp, int flag, int argc, struct udevice *blkmap_dev; const char *passphrase = NULL; bool use_tkey = false; + bool pre_derived = false; int part, ret, version; u8 master_key[128]; char label[64]; u32 key_size; - /* Check for -t flag */ - if (!strcmp(argv[1], "-t")) { - use_tkey = true; + /* Check for flags */ + while (argc > 1 && argv[1][0] == '-') { + if (!strcmp(argv[1], "-t")) { + use_tkey = true; + } else if (!strcmp(argv[1], "-p")) { + pre_derived = true; + } else { + return CMD_RET_USAGE; + } argc--; argv++; } @@ -165,9 +172,21 @@ static int do_luks_unlock(struct cmd_tbl *cmdtp, int flag, int argc, if (use_tkey) { ret = unlock_with_tkey(dev_desc, &info, passphrase, master_key, &key_size); + } else if (pre_derived) { + /* Pre-derived key: passphrase is hex-encoded master key */ + u8 key_buf[64]; + size_t key_len = strlen(passphrase) / 2; + + if (key_len > sizeof(key_buf) || hex2bin(key_buf, passphrase, + key_len)) { + printf("Invalid hex key\n"); + return CMD_RET_FAILURE; + } + ret = luks_unlock(dev_desc->bdev, &info, key_buf, key_len, + true, master_key, &key_size); } else { /* Unlock with passphrase */ - ret = luks_unlock(dev_desc->bdev, &info,(const u8 *)passphrase, + ret = luks_unlock(dev_desc->bdev, &info, (const u8 *)passphrase, strlen(passphrase), false, master_key, &key_size); } @@ -202,8 +221,9 @@ cleanup: static char luks_help_text[] = "detect - detect if partition is LUKS encrypted\n" "luks info - show LUKS header information\n" - "luks unlock [-t] - unlock LUKS partition\n" - " -t: Use TKey hardware security token with passphrase as USS\n"; + "luks unlock [-t] [-p] - unlock LUKS partition\n" + " -t: Use TKey hardware security token with passphrase as USS\n" + " -p: Treat passphrase as hex-encoded pre-derived master key (skip KDF)\n"; U_BOOT_CMD_WITH_SUBCMDS(luks, "LUKS (Linux Unified Key Setup) operations", luks_help_text, diff --git a/doc/usage/cmd/luks.rst b/doc/usage/cmd/luks.rst index ccf915f5844..1a9cba875ce 100644 --- a/doc/usage/cmd/luks.rst +++ b/doc/usage/cmd/luks.rst @@ -13,7 +13,7 @@ Synopsis luks detect luks info - luks unlock [-t] + luks unlock [-t] [-p] Description ----------- @@ -97,7 +97,8 @@ This command: - **Without -t**: Uses PBKDF2 or Argon2id with the provided passphrase - **With -t**: Uses TKey hardware token with passphrase as USS (User-Supplied - Secret) to derive a disk encryption key + Secret) to derive a disk encryption key. You can use 'tkey connect' to + select which TKey to use, otherwise it uses the first one it finds. 4. Attempts to unlock each active key slot 5. Verifies the master key against the stored digest @@ -128,6 +129,12 @@ be used to access files on the unlocked partition. passphrase is used as the USS (User-Supplied Secret) to derive a disk encryption key from the TKey's public key. +-p + Optional flag to treat the passphrase as a hex-encoded pre-derived master + key, skipping the KDF (Key Derivation Function) step. This is useful when + the master key has already been derived externally, such as from a hardware + security module or other key management system. + interface The storage interface type (e.g., mmc, usb, scsi) @@ -250,6 +257,13 @@ Unlock using TKey hardware token:: Successfully unlocked with key slot 0! Unlocked LUKS partition as blkmap device 'luks-mmc-0:2' +Unlock using a pre-derived master key (hex-encoded):: + + => luks unlock -p mmc 0:2 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + Unlocking LUKS2 partition... + Successfully unlocked with key slot 0! + Unlocked LUKS partition as blkmap device 'luks-mmc-0:2' + Configuration -------------