From patchwork Fri Oct 31 06:53:57 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 651
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893709;
	bh=JITCSXyCCrkeKfbxtgcmjU7B42J7rQzaL5EYE0tKSuI=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=SKgXZa47qf47oQK7FDbI4U4JfoICghXzuWX2LvV0pDA7B/KJbQt5KrwpwGH+HuAlM
	 35qtlmJ4u+UK0AVOwL7nJXHiUAJiUQeQ15BkQA9APWhKHO1fzxwMxWI6WkFjaDUFp/
	 beH1PRgGQcir6Y4VcWKgWXSMm3dnQDay3/coVCvwG7DAtn2wbyGk1wMCrAT4ZakdGH
	 weijtC7NyZNaNUoVPFp+t2bwD5x51vCUkRhKVE6EvymgnWii8Z4I94SlN/jQreqDjW
	 QbEsVjbQ4B4WHIMqGnqV7DsUKUC0xerBDTOriBMOTPdmMFadONzLk8/0Ju9HLoY4lb
	 ykhngiIwt2mOw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id C462968361
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:09 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id EyqU4zTPBf52 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:09 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893708;
	bh=JITCSXyCCrkeKfbxtgcmjU7B42J7rQzaL5EYE0tKSuI=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=d8SqXt6LdPjX7XtefLgnMMrSMP6TKG+/+KWAxWInnVlnF+NMGUIEIY1VJsS0saAbW
	 9mEWW937iQ1z+JrFGXC0D3Cj+SeS3i1szcpaaeNMY6bB0s0TZ+35i+6SkxTdeZg43b
	 LTUVUthK7d6aaljsvh+eiLfGolOTP+oCUao7lUWFdpXM79UExbOEobq25fhp7ePphq
	 Sh66auB2lDSYZliZ3iMqpFC0xAK5yIJdn3DsS4w7f0q/xtB9uIHvxr6bruQiGe9pe9
	 4WWc1m1D4ur6I5HLWupTHHA8O8DRJN8e8MLBSoOxoKZvbS4POqtfkX7OhTX3sQokAr
	 v9Z8FriAoqvcw==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id C62AC68321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:08 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893706;
	bh=N7v1hzqEDfn/ObBA48UFCYU6Cu7e6ywUBOG/d+g5YG4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=su1CmUTbgslGKhdl2MfYn6m9+zRQZFaDsra9Ce3f/JiN9FfbcYw5wFp9QPrGEFJZK
	 9TOrcVQQU5/XjS7MHsFrczpFl1ffbOBdWRCsu4cG849iIOIPTjr0RTRnQRj7/R+nbv
	 egEynR3J+05dmgHVW+t3zzMwoAi7rHzqtm+lRpeM8O2OGnAURRdcGZzqH4ex3jCyFr
	 UsqScpzjghC/qd+9zsHyd0M05e/InGE62HpjLxXLWm/FpnWPnI17DWiEBsNqx/vuFH
	 HRLaDlDyn5AvbZSDPhmYVapOFq/Lfa4MpEz0T6CKuNneSR3iEQu2//1n+T/TyvmPNj
	 M6mOmzey5GjwQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 8517368320;
	Fri, 31 Oct 2025 00:55:06 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id 1k5bXW6CfRZ7; Fri, 31 Oct 2025 00:55:06 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893706;
	bh=9793R8MCXz4Yyx+ozIaDk6zVEt1M+oyDsF5j+pDN40E=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=mUoVB4gmXWS34XfeYY/9BhCfT8ufeeEQQYO3qGqtTEaXQqqNNy9MhFj8IO1DpduMW
	 IZ2XQlXX7kofQSK5B9XfIJBmusG5WLEk21XmSVd2l5vtSCNhaii2aFUIluhppFr0TK
	 696qO7097jSYqDeKSr/DvNPVUYV4c0copPiYiYLZVOpqp8qDYJrTRDJwcM+DGIaezS
	 TD7Zv055RVCt92J8Zpp3E8R/p9vOzk2VG7JrxROMQzj2hpMu0H8tMjQPv7oqevJe4T
	 cxcictedYJsU5tq/2cBga1hnKTLprUK9wUnWnkB4745tFdzI5nrHEmyM5fQm1mjUeZ
	 wBtcOBhdm5Oow==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id F09AF6827C;
	Fri, 31 Oct 2025 00:55:05 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:53:57 -0600
Message-ID: <20251031065439.3251464-2-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: DR3O4ERBI2RQMY72H74OVXPPOJC2UAKM
X-Message-ID-Hash: DR3O4ERBI2RQMY72H74OVXPPOJC2UAKM
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 01/24] aes: Fix key size handling for AES-192 and
 AES-256
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/DR3O4ERBI2RQMY72H74OVXPPOJC2UAKM/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

At present the aes_get_rounds() and aes_get_keycols() functions compare
the key_len parameter (in bits) directly against AES*_KEY_LENGTH
constants (in bytes), causing incorrect round and column counts for
non-128-bit keys.

Additionally, aes_expand_key() uses key_len as a byte count in memcpy(),
copying far more data than intended and causing buffer overflows.

Specifically, for AES-256 (256-bit key) it comparies 256 (bits) against
32 (bytes), failing the comparison. This causes AES-256 to use AES-128
parameters (10 rounds instead of 14) and the memcpy() to copy 256 bytes
instead of 32.

Fix by converting key_len from bits to bytes before comparisons and in
memcpy. With this we get:
- AES-128 (128 bits / 16 bytes): 10 rounds, 4 key columns
- AES-192 (192 bits / 24 bytes): 12 rounds, 6 key columns
- AES-256 (256 bits / 32 bytes): 14 rounds, 8 key columns

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 8302d1708ae ("aes: add support of aes192 and aes256")
---

 lib/aes.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/lib/aes.c b/lib/aes.c
index 39ad4a990f0..3bcbeeab9af 100644
--- a/lib/aes.c
+++ b/lib/aes.c
@@ -513,10 +513,11 @@ static u8 rcon[11] = {
 static u32 aes_get_rounds(u32 key_len)
 {
 	u32 rounds = AES128_ROUNDS;
+	u32 key_len_bytes = key_len / 8;  /* Convert bits to bytes */
 
-	if (key_len == AES192_KEY_LENGTH)
+	if (key_len_bytes == AES192_KEY_LENGTH)
 		rounds = AES192_ROUNDS;
-	else if (key_len == AES256_KEY_LENGTH)
+	else if (key_len_bytes == AES256_KEY_LENGTH)
 		rounds = AES256_ROUNDS;
 
 	return rounds;
@@ -525,10 +526,11 @@ static u32 aes_get_rounds(u32 key_len)
 static u32 aes_get_keycols(u32 key_len)
 {
 	u32 keycols = AES128_KEYCOLS;
+	u32 key_len_bytes = key_len / 8;  /* Convert bits to bytes */
 
-	if (key_len == AES192_KEY_LENGTH)
+	if (key_len_bytes == AES192_KEY_LENGTH)
 		keycols = AES192_KEYCOLS;
-	else if (key_len == AES256_KEY_LENGTH)
+	else if (key_len_bytes == AES256_KEY_LENGTH)
 		keycols = AES256_KEYCOLS;
 
 	return keycols;
@@ -538,12 +540,13 @@ static u32 aes_get_keycols(u32 key_len)
 void aes_expand_key(u8 *key, u32 key_len, u8 *expkey)
 {
 	u8 tmp0, tmp1, tmp2, tmp3, tmp4;
-	u32 idx, aes_rounds, aes_keycols;
+	uint idx, aes_rounds, aes_keycols;
 
 	aes_rounds = aes_get_rounds(key_len);
 	aes_keycols = aes_get_keycols(key_len);
 
-	memcpy(expkey, key, key_len);
+	/* key_len is in bits; convert to bytes */
+	memcpy(expkey, key, key_len / 8);
 
 	for (idx = aes_keycols; idx < AES_STATECOLS * (aes_rounds + 1); idx++) {
 		tmp0 = expkey[4*idx - 4];

From patchwork Fri Oct 31 06:53:58 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 652
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893714;
	bh=QPIGWzfguGNftaHziUCtEhC5JsVID+oHZnqVQNmExUU=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=U7kl/Q5BTjq7gbxgJGEjP1MAEYY/ZHIqoZGVJ0fnuFRp23MQiwrPK3zAkGX/wP+vP
	 7S8cT8I9GWGL/ayUvymwr2ez142v7nn5Dc3COXd6ycOlYnmo9dbSKe54aN8NK30bPj
	 60/fZwbgof0uuru5CHp/vn6MpgmLGS/ibyK1MD0ostdpvmrmkXUqKwLLxHWioKmCFy
	 nE+yMXymVf+5Kl1MSogcFX0i9saOdrLSAaZ5wEezbB4W17BCWEY0XgP6qHBSYLwSl4
	 FDyR6D9kNwUk8qh3MleS4EIzyKQkvQPSE61RzQveJxwTstyElhlFYM77sWqxNpVuHH
	 h+uyxgWhrIQug==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 3523768351
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:14 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id r15vDukV7lxL for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:14 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893714;
	bh=QPIGWzfguGNftaHziUCtEhC5JsVID+oHZnqVQNmExUU=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=U7kl/Q5BTjq7gbxgJGEjP1MAEYY/ZHIqoZGVJ0fnuFRp23MQiwrPK3zAkGX/wP+vP
	 7S8cT8I9GWGL/ayUvymwr2ez142v7nn5Dc3COXd6ycOlYnmo9dbSKe54aN8NK30bPj
	 60/fZwbgof0uuru5CHp/vn6MpgmLGS/ibyK1MD0ostdpvmrmkXUqKwLLxHWioKmCFy
	 nE+yMXymVf+5Kl1MSogcFX0i9saOdrLSAaZ5wEezbB4W17BCWEY0XgP6qHBSYLwSl4
	 FDyR6D9kNwUk8qh3MleS4EIzyKQkvQPSE61RzQveJxwTstyElhlFYM77sWqxNpVuHH
	 h+uyxgWhrIQug==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 234AF68321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:14 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893712;
	bh=NLdFG5jVLOigELYfpn6dgB9MyhsaCjhSKkiBSxv+n4U=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=MouNh6nEojAkFplvX/D9SaoTxqCTJRQsqhBLhZN7JQgl6ueTgfRkdXwQbgikZjLiA
	 aYiMAXq80R8kVoABfBlUxvM9IixUFgF8yXx8x57zVdYGKW4hJiqarOcIpjsaAd1FZg
	 /LJ0abg//y9LcPTON3LC5zWz0HQk0pIbwalPUvMlK+rtgsobz+63THcL0Gp0WcZwWH
	 xiqp3mo2xcZ66UaI0Kf/oTUhOcAKG2864Bprx7FtqbvtEiSO+W1Bwpu4Khh4IQw63k
	 tn2Pe6M+UCvUqQJ53WknFvIckT/BNHhJsw7JR+U3kY9Ga2a2oCVdRWlJMWazxLv/H+
	 vljjBQFXiesiw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 0C8F068321;
	Fri, 31 Oct 2025 00:55:12 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id qWxg1MZooFs2; Fri, 31 Oct 2025 00:55:11 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893707;
	bh=IxK2A6PR34RbDXdqc4/hz29OdsqiL/1zW3kdSRtV+B4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=JDJKI5TL5GuL1Vggt8G2KCZKoGe4ezfIUdJ+6q55veVF4X3SRIFmVEORCezFKwTJc
	 ap0wP3Lms0SFlSWITVo0pSCSduw5jGn20gZN3rUhrm72p6fNnJWTE23oExI5X2iOXl
	 HGA0/CrmUYPm0mujmUXNxYYaycoGtCNERglePID1QfJKqpgwl1HP4PG+jMVPHJs9Cr
	 RlyQFf9Nj/1otbPNSkGgIfzhLIuLhHaY+ilytffIXXw5atT/5gVPnoKYcBanpGk40p
	 CJaLarWg02iUtqYk7vz7ucF76VN8HYAtvj+yzPQJd8S7BMubV4rlA/8KQWY9ICS5YQ
	 s7mQ2hM2Wce6w==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id C1BB76827C;
	Fri, 31 Oct 2025 00:55:06 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:53:58 -0600
Message-ID: <20251031065439.3251464-3-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: MAELIIKSHOZR3ZVWZJASQYK45Q7RBCXA
X-Message-ID-Hash: MAELIIKSHOZR3ZVWZJASQYK45Q7RBCXA
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 02/24] doc: Provide documentation for the blkmap
 command
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/MAELIIKSHOZR3ZVWZJASQYK45Q7RBCXA/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

This command lacks documentation in the normal place. Add it.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 doc/usage/blkmap.rst     |   5 +
 doc/usage/cmd/blkmap.rst | 323 +++++++++++++++++++++++++++++++++++++++
 doc/usage/index.rst      |   1 +
 3 files changed, 329 insertions(+)
 create mode 100644 doc/usage/cmd/blkmap.rst

diff --git a/doc/usage/blkmap.rst b/doc/usage/blkmap.rst
index 75f736c259f..e9b3cfeaaa1 100644
--- a/doc/usage/blkmap.rst
+++ b/doc/usage/blkmap.rst
@@ -109,3 +109,8 @@ Now we can access the filesystem:
 
    blkmap get sq dev devnum
    load blkmap ${devnum} ${loadaddr} /etc/version
+
+See also
+--------
+
+* :doc:`/usage/cmd/blkmap`
diff --git a/doc/usage/cmd/blkmap.rst b/doc/usage/cmd/blkmap.rst
new file mode 100644
index 00000000000..aaa4cd403c0
--- /dev/null
+++ b/doc/usage/cmd/blkmap.rst
@@ -0,0 +1,323 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+.. index::
+   single: blkmap (command)
+
+blkmap command
+==============
+
+Synopsis
+--------
+
+::
+
+    blkmap info
+    blkmap part
+    blkmap dev [<dev>]
+    blkmap read <addr> <blk#> <cnt>
+    blkmap write <addr> <blk#> <cnt>
+    blkmap get <label> dev [<var>]
+    blkmap create <label>
+    blkmap destroy <label>
+    blkmap map <label> <blk#> <cnt> linear <interface> <dev> <blk#>
+    blkmap map <label> <blk#> <cnt> mem <addr>
+
+Description
+-----------
+
+The *blkmap* command is used to create and manage virtual block devices that
+are composed of one or more "slices" mapped from other block devices or memory
+regions.
+
+See :doc:`../blkmap` for an overview of the blkmap subsystem and usage examples.
+
+label
+    Unique label assigned to a blkmap device during creation. Used to identify
+    the device for subsequent operations (map, get, destroy).
+
+blk#
+    Block number. Blocks are 512 bytes in size. When used as a starting position,
+    this specifies where in the device to begin the operation. When used as a
+    mapping parameter, it indicates which block in the source or destination to
+    use.
+
+cnt
+    Number of blocks (count). Each block is 512 bytes, so cnt=1 represents 512
+    bytes, cnt=2048 represents 1MB, etc.
+
+addr
+    Memory address in hexadecimal format (e.g., ${loadaddr}, 0x82000000). Used
+    for specifying where to read/write data or where a memory region is located.
+
+blkmap info
+~~~~~~~~~~~
+
+List all configured blkmap devices and their properties::
+
+    blkmap info
+
+This displays information about all active blkmap devices, including device
+number, vendor, product, revision, type, and capacity.
+
+blkmap part
+~~~~~~~~~~~
+
+List available partitions on the current blkmap device::
+
+    blkmap part
+
+This command displays the partition table of the currently selected blkmap
+device. If the device has no partition table (whole-disk filesystem), it will
+report "no blkmap partition table available".
+
+blkmap dev
+~~~~~~~~~~
+
+Show or set the current blkmap device::
+
+    blkmap dev [<dev>]
+
+dev
+    Optional device number to set as current. If omitted, displays the current
+    device information.
+
+blkmap read
+~~~~~~~~~~~
+
+Read data from the current blkmap device::
+
+    blkmap read <addr> <blk#> <cnt>
+
+blkmap write
+~~~~~~~~~~~~
+
+Write data to the current blkmap device::
+
+    blkmap write <addr> <blk#> <cnt>
+
+**Note**: Write support is limited and may not be available for all blkmap
+types.
+
+blkmap get
+~~~~~~~~~~
+
+Get the device number for a labeled blkmap device::
+
+    blkmap get <label> dev [<var>]
+
+var
+    Optional environment variable name to store the device number. If omitted,
+    the device number is printed to stdout.
+
+This is useful for scripting, allowing you to find a blkmap device by its label
+and store or use its device number.
+
+blkmap create
+~~~~~~~~~~~~~
+
+Create a new blkmap device with the specified label::
+
+    blkmap create <label>
+
+After creation, the device has no mappings and is empty. Use ``blkmap map``
+to add slices to the device.
+
+blkmap destroy
+~~~~~~~~~~~~~~
+
+Destroy a blkmap device and free its resources::
+
+    blkmap destroy <label>
+
+This removes the blkmap device and all its mappings. Any data stored only in
+the blkmap device will be lost.
+
+blkmap map - linear
+~~~~~~~~~~~~~~~~~~~
+
+Map a region from another block device into the blkmap device::
+
+    blkmap map <label> <blk#> <cnt> linear <interface> <dev> <blk#>
+
+label
+    Label of the blkmap device to map into
+
+blk#
+    Starting block number in the blkmap device where this mapping begins
+
+cnt
+    Number of blocks to map
+
+interface
+    Source device interface (e.g., mmc, usb, scsi)
+
+dev
+    Source device number
+
+blk# (last parameter)
+    Starting block number on the source device
+
+This creates a linear mapping that redirects reads from a region of the blkmap
+device to the corresponding region on another block device. Multiple mappings
+can be added to compose a single virtual device from multiple sources.
+
+blkmap map - mem
+~~~~~~~~~~~~~~~~
+
+Map a memory region as a block device::
+
+    blkmap map <label> <blk#> <cnt> mem <addr>
+
+label
+    Label of the blkmap device to map into
+
+blk#
+    Starting block number in the blkmap device where this mapping begins
+
+cnt
+    Number of blocks to map
+
+addr
+    Memory address of the data to map
+
+This creates a mapping that exposes a memory region as block device sectors.
+The memory region must be at least ``cnt * 512`` bytes in size.
+
+Usage Examples
+--------------
+
+See :doc:`../blkmap` for complete examples including:
+
+* Netbooting an Ext4 image
+* Accessing filesystems inside FIT images
+* Creating composite devices from multiple sources
+* Using memory-backed block devices
+
+Implementation Details
+----------------------
+
+Blkmap devices are implemented as standard U-Boot block devices (UCLASS_BLK)
+with a custom driver. Each device maintains an ordered list of "slices" -
+mappings from a range of blocks to a source (another device or memory region).
+
+See :doc:`../blkmap` for more details on the implementation.
+
+Configuration
+-------------
+
+The blkmap command is available when CONFIG_CMD_BLKMAP is enabled::
+
+    CONFIG_BLKMAP=y
+    CONFIG_CMD_BLKMAP=y
+
+Return Value
+------------
+
+The return value $? is set to 0 on success, 1 on failure.
+
+Examples
+--------
+
+List all blkmap devices
+~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+    => blkmap info
+    Device 0: Vendor: U-Boot Rev: 1.0 Prod: blkmap
+                Type: Hard Disk
+                Capacity: 60.0 MB = 0.0 GB (122880 x 512)
+
+Check or set current device
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+    => blkmap dev
+    Device 0: Vendor: U-Boot Rev: 1.0 Prod: blkmap
+                Type: Hard Disk
+                Capacity: 60.0 MB = 0.0 GB (122880 x 512)
+    ... is now current device
+
+    => blkmap dev 0
+    Device 0: Vendor: U-Boot Rev: 1.0 Prod: blkmap
+                Type: Hard Disk
+                Capacity: 60.0 MB = 0.0 GB (122880 x 512)
+    ... is now current device
+
+Create a new device
+~~~~~~~~~~~~~~~~~~~
+
+::
+
+    => blkmap create mydisk
+    => blkmap info
+    Device 0: Vendor: U-Boot Rev: 1.0 Prod: blkmap
+                Type: Hard Disk
+                Capacity: 0.0 MB = 0.0 GB (1 x 512)
+
+Map a linear region from MMC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Map MMC blocks 1000-1999 to blkmap blocks 0-999::
+
+    => blkmap create composed
+    => blkmap map composed 0 1000 linear mmc 0 1000
+
+Map memory as a block device
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Map 1MB of memory as blocks::
+
+    => blkmap create ramdisk
+    => blkmap map ramdisk 0 2048 mem ${loadaddr}
+
+Read from a blkmap device
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+    => blkmap dev 0
+    => blkmap read ${loadaddr} 0 10
+    blkmap read: device 0 block # 0, count 10 ... 10 blocks read: OK
+
+Get device number by label
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+    => blkmap get testdev dev mydev
+    => printenv mydev
+    mydev=0
+
+Complete workflow example
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Create, map, and use a device::
+
+    => blkmap create testdev
+    => blkmap map testdev 0 2048 linear mmc 0 2048
+    => blkmap dev 0
+    => blkmap read ${loadaddr} 0 1
+
+Destroy a device
+~~~~~~~~~~~~~~~~
+
+::
+
+    => blkmap destroy mydisk
+
+Accessing whole-disk filesystems
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Blkmap devices often contain whole-disk filesystems (no partition table).
+Access them using partition 0 or omitting the partition specification::
+
+    => ls blkmap 0 /
+    => ext4load blkmap 0 ${loadaddr} /boot/vmlinuz
+    => cat blkmap 0 /etc/config.txt
+
+See Also
+--------
+
+* :doc:`../blkmap` - Blkmap device documentation and examples
diff --git a/doc/usage/index.rst b/doc/usage/index.rst
index 701f03ca373..2fff101868c 100644
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@@ -34,6 +34,7 @@ Shell commands
    cmd/bdinfo
    cmd/bind
    cmd/blkcache
+   cmd/blkmap
    cmd/bootd
    cmd/bootdev
    cmd/bootefi

From patchwork Fri Oct 31 06:53:59 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 653
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893717;
	bh=czHNwxlSxX3yJ3Pu1OsRzR3ScuL/LuVBopuFtsR5TwM=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=JV2fQUVg7cPv/YFfKeLG2fbAr+DcFLjJrpaDCnCMv5nwg8JT/rI4sWEB791XbqeFB
	 9zf6nv+2n1fAArLT8nEPWvccTAZWl3gHWD/F9jZ52oYUkUeqIl8VoQ/MgN+6C0qAL4
	 tZVhiCURL0PPSWbjkaNJ2c/KLQxu5+end6GjsfNFKKfN7mz64DcwYxxRx9ZUTTULbv
	 wj0QzbybsOdxOYNaAfhXlJa4XU4gvro7r8egSzfLvnMde64FzbCH6DuGbSVdglQ3d1
	 X5Gt+4Vs56dINQUI89iPU/UUq4OjKkh5fTSIfnMMSLx2sGDFEQOPBYLEUpVi8bguyE
	 uIC9H3e6tZIlw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id EE4EE68351
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:17 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id F5HcEPSGq0_R for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:17 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893717;
	bh=czHNwxlSxX3yJ3Pu1OsRzR3ScuL/LuVBopuFtsR5TwM=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=JV2fQUVg7cPv/YFfKeLG2fbAr+DcFLjJrpaDCnCMv5nwg8JT/rI4sWEB791XbqeFB
	 9zf6nv+2n1fAArLT8nEPWvccTAZWl3gHWD/F9jZ52oYUkUeqIl8VoQ/MgN+6C0qAL4
	 tZVhiCURL0PPSWbjkaNJ2c/KLQxu5+end6GjsfNFKKfN7mz64DcwYxxRx9ZUTTULbv
	 wj0QzbybsOdxOYNaAfhXlJa4XU4gvro7r8egSzfLvnMde64FzbCH6DuGbSVdglQ3d1
	 X5Gt+4Vs56dINQUI89iPU/UUq4OjKkh5fTSIfnMMSLx2sGDFEQOPBYLEUpVi8bguyE
	 uIC9H3e6tZIlw==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DDD0768320
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:17 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893716;
	bh=MguqZmCdrk7o+j7pHV2i0PQTvYj+5p9Qw6qFDdNqyRc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=p31GHce2icCQPOZhDh6P4zbbAkRrrvfGyCoCXx2TYQNblTtTLjL03IHXMJM6zsDWf
	 a3WL18khyROgzmAe98r5JseAVd676a3zhDsbp92bz3sYg98BUlPWJ6AGDxQh37hWQ8
	 W9jireIvu5ZRbqqKPxU8PFdWhWWQTa9vCd7Y/QPcLbNkZRvM5awl3h958ZEyY9DKHX
	 vjGaqfVaOHCLK3YLdfym0tQEb+kfgsiu5jefyk3VWKlbTtCVDBA1GpH6bvhfUO8+3k
	 xboKlIzkbbtv6pgE4ZAI/rndfTODhMtsCosRYAn+CgRWY94j9QHZn3kufs8CStINIF
	 p1V4qkE/7AK8g==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 6EE9968356;
	Fri, 31 Oct 2025 00:55:16 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id DHziekGuGo_n; Fri, 31 Oct 2025 00:55:16 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893711;
	bh=kSe01b2KJbTczr7hWwvjwLBw+o3+JEcW+tiolbhRkLw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=j1Y5HrYn/9IbpQCm77ytgKF0Huk0xrCbAqfl2jxuLhAt4Fa1mHBoKtSmWPWzxXIy6
	 GcKyw2RBq2PoqPnv1ndhcfK1ldhw02CxkRBia5qXf4DN5B/eCgGqRht+fJK0Ifz43+
	 UdnCV/lW71ugJJE9IQy4tVG+kR/+Gb77PPeOSF3foWaH/8GtGh9Wzeo7Udlx/6IWkJ
	 yBFJR1BnEFopBpxiOzmH7kLYyytW4Kx2hPy2m+iUPeav7d5QidHy65aiVxau+ivDuv
	 wEjQOq24Xz4mwez1B1czGjxRS0HUpYcyQcpdE7LbGKCMnmsrrayn0XmHklk8H5U+58
	 7LTneKR2uqoTQ==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 68C09682CD;
	Fri, 31 Oct 2025 00:55:11 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:53:59 -0600
Message-ID: <20251031065439.3251464-4-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: QZLWPEG64WJQCVMBH7GSC3QX3HEIH5LE
X-Message-ID-Hash: QZLWPEG64WJQCVMBH7GSC3QX3HEIH5LE
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 03/24] log: Provide a macro to log a hex string
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/QZLWPEG64WJQCVMBH7GSC3QX3HEIH5LE/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add a new log_debug_hex() macro which can log a a buffer as a hex
string, e.g. for showing a hash value.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 include/log.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/log.h b/include/log.h
index 4f6d6a2c2cf..e1a12c26133 100644
--- a/include/log.h
+++ b/include/log.h
@@ -188,6 +188,22 @@ int _log_buffer(enum log_category_t cat, enum log_level_t level,
 #define log_io(_fmt...)		log(LOG_CATEGORY, LOGL_DEBUG_IO, ##_fmt)
 #define log_cont(_fmt...)	log(LOGC_CONT, LOGL_CONT, ##_fmt)
 
+/**
+ * log_debug_hex() - Print hex bytes for debugging
+ *
+ * @_label: Label to print before the hex bytes
+ * @_data: Pointer to the data to print
+ * @_len: Number of bytes to print
+ */
+#define log_debug_hex(_label, _data, _len) do { \
+	const u8 *__data = (const u8 *)(_data); \
+	int __len = (_len); \
+	log_debug("%s ", _label); \
+	for (int __i = 0; __i < __len; __i++) \
+		log_cont("%02x", __data[__i]); \
+	log_cont("\n"); \
+} while (0)
+
 #ifdef LOG_DEBUG
 #define _LOG_DEBUG	LOGL_FORCE_DEBUG
 #ifndef DEBUG

From patchwork Fri Oct 31 06:54:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 654
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893721;
	bh=B0m1xN3NnwEg3a0Swb8QBOvhyrGKDenDy30A4Ftc6oY=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=jGDmYgC05r0IbIAD99YTPt2O+4KF80Er5ZyACjHs4si0v6BBxAYEHz3Pyv8YqWgFg
	 w53kLBix+uTr2hrl8eQ9IUi2dkWAABrW5oAMu+RcUJK/PHXgJb9x3WmUQGmWxoJQj/
	 zjWI4InCzaTAvZr4zxgycPUqCD1TXB9010kQI3kF2/JzbtW5ZFc2s4iEzGOXbTovQY
	 ROJYZkZUDyLcP0oXpAfmoRw+U3U3PCOe7jneqdIvbZruvSJPkvUi518LXNyxNmbhzw
	 RsrJu1qKTuLEyNX/7bK238Qp8IXCjgLparp7PJqpXNo0kDah/frBHtiwCZOZhe+hSM
	 sRKiMgjfilZ0Q==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 5367268351
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:21 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id BFd0aYOtz4zY for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:21 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893721;
	bh=B0m1xN3NnwEg3a0Swb8QBOvhyrGKDenDy30A4Ftc6oY=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=jGDmYgC05r0IbIAD99YTPt2O+4KF80Er5ZyACjHs4si0v6BBxAYEHz3Pyv8YqWgFg
	 w53kLBix+uTr2hrl8eQ9IUi2dkWAABrW5oAMu+RcUJK/PHXgJb9x3WmUQGmWxoJQj/
	 zjWI4InCzaTAvZr4zxgycPUqCD1TXB9010kQI3kF2/JzbtW5ZFc2s4iEzGOXbTovQY
	 ROJYZkZUDyLcP0oXpAfmoRw+U3U3PCOe7jneqdIvbZruvSJPkvUi518LXNyxNmbhzw
	 RsrJu1qKTuLEyNX/7bK238Qp8IXCjgLparp7PJqpXNo0kDah/frBHtiwCZOZhe+hSM
	 sRKiMgjfilZ0Q==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 43B3468321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:21 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893720;
	bh=aw3NyJTE0nT4eEWTKobu56Yz/gVMj3WB3eXYNFll8/k=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Z8fkx6y5FgFv5VtFwyTOSszfA9VdQD8gY4ziemTEXGTm4nHuFo7+pOWjI+/ceHGAV
	 wodRQhEnuyaKD/2HzD7FnmIf4DJXA9yySHqqlrY0zHlLJOXsNdmeOZTg/lOGTaeBiN
	 JtlglGm48HbNvxHeiOOhEr3+qoftaylxGKR2P17g3/1mJJAH8isKf9iHwDXYIr1ehA
	 58ZrBn4g7hqJI4h7u0TFaRmSAO+FXcpp+cHaw1JoW33hGJyZ+gI/D0WSKuM/GFBb6U
	 oJDxTPMjjtfU1yVoepgmflU1RLKmJFckxsYU6OVeVNxeq3k1JLiu6ZS1eZ5VlHF2Jp
	 YJ7XAJRYAUq4w==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4D5AA682CD;
	Fri, 31 Oct 2025 00:55:20 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id pUbPwy6GKv7G; Fri, 31 Oct 2025 00:55:20 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893716;
	bh=VAZsIVks+jqw/DMSxLI3PM87UMqTg4+ylyaAgOl3W9A=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=eho54YBZuKqim9tZhdGmGXjZmO+M9FIdenVvnx/xIWaWsUgeN0+kuPbQ8qTdVipnC
	 6NZhc9kARo9LWfHZnS4XSAgy3ZTZmq44iaGcArfjct9zQcvAUnPIEjIpPW1R0v8aJk
	 mr6iGNY/1nzLUMWL/jnEQTxkrCok0TYoHO2HVrxyoBGi4mCArmLcPwuJhzMu1wrQa9
	 WtGDLgilk62dhgHZpaLra8S/761eRpuMTmpoBW5OyPd3HEv+KzfRuGbOP/tEA6afU+
	 RKngxU7kF+GO3wtR/PCoLiLnZCROkngbkEiPnetEbdcbnAVw3uJRQVP/6p5JPgdyl2
	 Yu9y2Zlpb6dZw==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 04B2768325;
	Fri, 31 Oct 2025 00:55:15 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:00 -0600
Message-ID: <20251031065439.3251464-5-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: P3WIPSHSL7KHFTH2ONWR3LEVIDQRZMW3
X-Message-ID-Hash: P3WIPSHSL7KHFTH2ONWR3LEVIDQRZMW3
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 04/24] panic: Provide a way to poweroff on panic
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/P3WIPSHSL7KHFTH2ONWR3LEVIDQRZMW3/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

For sandbox it normally doesn't make sense to reset when a panic occurs,
since presumably it will just happen again. Add an option to power off
instead.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 lib/Kconfig | 8 ++++++++
 lib/panic.c | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/Kconfig b/lib/Kconfig
index c45a98313aa..9de4667731e 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -263,6 +263,14 @@ config PANIC_HANG
 	  development since you can try to debug the conditions that lead to
 	  the situation.
 
+config PANIC_POWEROFF
+	bool "Power off the system on fatal error"
+	help
+	  Define this option to power off the system in case of a fatal error,
+	  instead of resetting. This is useful for development and testing to
+	  avoid infinite reset loops when debugging issues like stack smashing.
+	  The system will power off using sysreset.
+
 config REGEX
 	bool "Enable regular expression support"
 	default y if NET
diff --git a/lib/panic.c b/lib/panic.c
index 0f578b5b513..adc338860a5 100644
--- a/lib/panic.c
+++ b/lib/panic.c
@@ -13,6 +13,9 @@
 #if !defined(CONFIG_PANIC_HANG)
 #include <command.h>
 #endif
+#if defined(CONFIG_PANIC_POWEROFF)
+#include <sysreset.h>
+#endif
 #include <linux/delay.h>
 #include <stdio.h>
 
@@ -23,6 +26,11 @@ static void panic_finish(void)
 	putc('\n');
 #if defined(CONFIG_PANIC_HANG)
 	hang();
+#elif defined(CONFIG_PANIC_POWEROFF)
+	flush();  /* flush the panic message before power off */
+
+	sysreset_walk(SYSRESET_POWER_OFF);
+	hang();  /* hang if power off fails */
 #else
 	flush();  /* flush the panic message before reset */
 

From patchwork Fri Oct 31 06:54:01 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 655
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893723;
	bh=ZRM8519qaPgp6uTP60Vek6o7apTFdo3PveOLsCjzbvA=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=FejRIdqkgQawziCy88L7OKwD4GFgwKPadDVC9iqooBOESUUZ3xIolw99XyMI5C24Z
	 +9xDGGKbsqOvgsuFXobjkNLhQgvTXWTbBibuWpofq6gMwyFbiXcfz/lGx+u5XHe/cA
	 HJMeVvOn9L2Gl1nlIah9krHgWweltgJzb9XRI09SV368aUrYyvFcBEF4YGVQrjxW9M
	 7xS3hsElYobU5XlM7bhuBpu8cAwq871j+LhM/8xNstXmGdneWGO+xh6AoNFR8IYG4G
	 Ae8AYkQPa3cBWjmhsf7TdYYZM1o5Lxq2/bK8T3AmXV+DLtg4rtruHDw8DQPPPWu7Ax
	 Otnl82hqWvnyA==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 9A7336827C
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:23 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 49azSE9vLjgE for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:23 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893722;
	bh=ZRM8519qaPgp6uTP60Vek6o7apTFdo3PveOLsCjzbvA=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=HmmaPlYTxx+CcUyiWel274u+sOGhHZTukv8r8WHZBEZZdxZfUvHrAup6q2PGWiZGa
	 /rsrASJ/9eDGUcjojBJRlO/7HWTdX6JuNM43PvK/c/L4UKefyMzmDxO3sHmyPDmjtk
	 X7TeztmGv/ACRvR6LFIM6T/wTk+rPzAX4nrG76diUML2wyscMhxyr8oXayNF6ubFU8
	 fUGjBvHmUU8hkxRAGkKUNpX0bBSGRmi2A2dWHofK1c4vZU56TPpEp/d9g6ohvVCzkI
	 VNb1xvCJOQMM6cpgkhYbJF3+rBGeIFwjW8Qhd5a4OnbiSknZwz79OLKmuv9xV9+5WU
	 hBKGlJxmFON7A==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id A663A68325
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:22 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893721;
	bh=TXQJoaKFi6F04Ycvc6mWC2FVpZ/sv50m10PA607a/YQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=hNsIvO/MFORognuHB9mwEpnBqtLSrk9AlTytO6G94XT6iusdBZLJ+OeF6MYPl4UVQ
	 2tNyyyol7bRwaPzUaEazYhYox7MoB0Ao5r2UfIAuFa1x0z4fYVaUyfOgrsz4k1jW9h
	 +nKOuztdmOMKPWcDjkxJePu3Nj0+GPS6nHAqKZ9NfvR75+dJJmk5a2EJviRWKjafh2
	 nZh1e8ufX/1R8GdIzcvdWOLi6OWCEOYFTTWFENAbnR7a8nQk/9ygranGG5/6Sgboxz
	 XRKhArcptXeKcQ4Ndv1odKEI8xJqrHqgA5Zwg2HSFmjFcjsrauoXiLsr7CFfZ1tO2g
	 xAR1KXV9tIFIA==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 15397682CD;
	Fri, 31 Oct 2025 00:55:21 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id LNWYOGfTrGQi; Fri, 31 Oct 2025 00:55:21 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893720;
	bh=hPOA+l6IhlFRfJLY7w4y6M81DQq2vzsP5zw/4jaNPnI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=pvuFqxCBZrAXSpOaDIoDYxH/5VvOdEccvawDPWvEVly1eTFtNgzu7J9USPREnAoC/
	 uLqHjTlmEBmWNFFvclqscxkCPf2jrBm62Q5KizWG+l+1nArRVy4DKsztAMsId1a7nk
	 f+M37k+5OYTkylsneWE4CajQWWiL1PlOhs6otv+iplZSQfUR1JR7fZUCJcnCR/d/su
	 bEdydmj/lc4gRLNis8TXgRLdfjIJENwKZ57YPPI7DTSsovuD7g9Ssk/pwLX6VTrsWv
	 2uHN1uSRSeboKIF/twubaMFUMEow2P2Iq7bJ2rMBF+E+9sftc//3NMmU/zGT5mhxmu
	 JjoninH2QEDWw==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 911AD68320;
	Fri, 31 Oct 2025 00:55:20 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:01 -0600
Message-ID: <20251031065439.3251464-6-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: UIUS7KQ65J2654ZSEBMJCVEIBUFHPZWQ
X-Message-ID-Hash: UIUS7KQ65J2654ZSEBMJCVEIBUFHPZWQ
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 05/24] sandbox: Enable CONFIG_PANIC_POWEROFF
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/UIUS7KQ65J2654ZSEBMJCVEIBUFHPZWQ/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Enable this option so that sandbox exits when a panic occurs, rather
than resetting in a loop.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 configs/sandbox_defconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 0d115368d1b..601afde421d 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -359,6 +359,7 @@ CONFIG_FS_CBFS=y
 CONFIG_FS_EXFAT=y
 CONFIG_FS_CRAMFS=y
 CONFIG_ADDR_MAP=y
+CONFIG_PANIC_POWEROFF=y
 CONFIG_CMD_DHRYSTONE=y
 CONFIG_MBEDTLS_LIB=y
 CONFIG_ECDSA=y

From patchwork Fri Oct 31 06:54:02 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 656
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893727;
	bh=wqPhogXh5SRR60idczNI8OqphwVZ0NXCVyDjq3JMfaM=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=HCoe2jFEbKaE3aroSnSI/4gVX9HZ7oYGiXS6KfUbsTUoYugYYPSJep1Yg3hbtIUds
	 t7w9ra+mBZYxuDZLT/VmpdZ05B4GaUto503t4TZIm6t56i8wszhtuvFGLxOBxRgvhf
	 dP6uYToa2KoiriUeI95zbDFhOREbB0e0R8yLnvPfxQ/yIoF8yhzqO0fgTHC9fkuVoj
	 Xj/TnSZBZOEmW08h0SOP9WMp3F5JiUGyeasmBL72IxJkTK/S/AnvqWDC5DE10oUWiq
	 KdbL4DKP2k9WC/R3BwXiRz7JMQP575B+PUhage/WzN7lmpQD8Jph89+HTv5V1KfKNJ
	 uV3tIBlUqyVVg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4152268356
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:27 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 5SaLcmEmxBS0 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:27 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893727;
	bh=wqPhogXh5SRR60idczNI8OqphwVZ0NXCVyDjq3JMfaM=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=HCoe2jFEbKaE3aroSnSI/4gVX9HZ7oYGiXS6KfUbsTUoYugYYPSJep1Yg3hbtIUds
	 t7w9ra+mBZYxuDZLT/VmpdZ05B4GaUto503t4TZIm6t56i8wszhtuvFGLxOBxRgvhf
	 dP6uYToa2KoiriUeI95zbDFhOREbB0e0R8yLnvPfxQ/yIoF8yhzqO0fgTHC9fkuVoj
	 Xj/TnSZBZOEmW08h0SOP9WMp3F5JiUGyeasmBL72IxJkTK/S/AnvqWDC5DE10oUWiq
	 KdbL4DKP2k9WC/R3BwXiRz7JMQP575B+PUhage/WzN7lmpQD8Jph89+HTv5V1KfKNJ
	 uV3tIBlUqyVVg==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 2F067682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:27 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893725;
	bh=dZ4s4pm7vh68RxxcVSpU7BXphcnpA/PLmw2Te24H3Rg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=lxKG2fYU6CdEtVf4HDKeESr/oGbxw8daeL7chICk9pkk23ukhYZBor/E4bzx5RIzf
	 V2hiLYQrIarSSrRjUULC5sjB3L4Rog9W0Bg2SvGyQjN71/fhMC4SVqI2IMkH+hIZXB
	 f+8Hlvn8TDRKbcxyli664+J+WsyZp7v2gn/H1fFtP1f/faLuylEM5w5cCGrpbv2BKy
	 43fhB9FqcsfYXM4CJZKQECw1GmMgdFfRwCm+zKqpUakfvKj3TUroxE9ixYt0SZRB3e
	 dTJObMPru4Ack3dFWN2GSPI/bQmk5wPY5Bhh/Qq0A5bMkbYucxm71dEEFc/nJQTDwk
	 0tku3+pOhQ62w==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DEE916827C;
	Fri, 31 Oct 2025 00:55:25 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id 8gQEuuAY5Tmd; Fri, 31 Oct 2025 00:55:25 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893721;
	bh=pri76NJxHvalPL8FW8RUF30kYlE1jDJ2JSNoZrtt85s=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=aAYADB66hPApJcU04CpK57857Wp4MXrAGCvo95MCRBfpYCcgyIeSaqGtD5SOpTaaJ
	 KCcz+8oKz74oqS8kwr3U32MvlwSv2T4mmrZz4DLRVnGQWhk3wrApCrgLbhXsIMveGS
	 bhoqDQnOTo9rFAbSktYy2eQTgRbEL7toD5vuAB2romOqvLJxwr9X+UjOIUHA6pB0eP
	 eGeT6VZ0TSHgaiS/W/BcLbaOewrsT6EF65ubmchkguN4CwFABGuoyPi3ubjmow3Yon
	 2AV2Zl5E8okAMvaIeCnjCoirrIeNNJWrMDfldHSnCNxmzxvVhS2foGsRNWxaAPCvsc
	 1n2WTvyFL6Q6g==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 5823668321;
	Fri, 31 Oct 2025 00:55:21 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:02 -0600
Message-ID: <20251031065439.3251464-7-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: TOY2C73EINP7ZHG2H7GPSRZQE36PVDEM
X-Message-ID-Hash: TOY2C73EINP7ZHG2H7GPSRZQE36PVDEM
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 06/24] sandbox: Add devon and devoff subcommands to
 sb
 command
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/TOY2C73EINP7ZHG2H7GPSRZQE36PVDEM/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

There are quite a few media devices in test.dts which are not enabled by
default, so are not bound on startup. Sometimes it is useful to be able
to use these from the command line.

Add 'sb devon' and 'sb devoff' subcommands to enable and disable devices
from the device tree. For example, running sandbox with -T, then
'sb devon mmc11' enables the mmc11 device mentioned in test.dts

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 cmd/sb.c             | 107 +++++++++++++++++++++++++++++++++++--
 doc/usage/cmd/sb.rst |  40 +++++++++++++-
 test/cmd/Makefile    |   1 +
 test/cmd/sb.c        | 123 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 267 insertions(+), 4 deletions(-)
 create mode 100644 test/cmd/sb.c

diff --git a/cmd/sb.c b/cmd/sb.c
index 79f3fb0aacd..7de43e7edc3 100644
--- a/cmd/sb.c
+++ b/cmd/sb.c
@@ -10,6 +10,10 @@
 #include <asm/cpu.h>
 #include <asm/global_data.h>
 #include <asm/state.h>
+#include <dm/device-internal.h>
+#include <dm/lists.h>
+
+DECLARE_GLOBAL_DATA_PTR;
 
 static int do_sb_handoff(struct cmd_tbl *cmdtp, int flag, int argc,
 			 char *const argv[])
@@ -47,12 +51,109 @@ static int do_sb_state(struct cmd_tbl *cmdtp, int flag, int argc,
 	return 0;
 }
 
+static int do_sb_devon(struct cmd_tbl *cmdtp, int flag, int argc,
+		       char *const argv[])
+{
+	struct udevice *dev;
+	ofnode root, node;
+	int ret;
+
+	if (argc != 2)
+		return CMD_RET_USAGE;
+
+	/* Find the specified device tree node */
+	root = oftree_root(oftree_default());
+	node = ofnode_find_subnode(root, argv[1]);
+	if (!ofnode_valid(node)) {
+		printf("Device tree node '%s' not found\n", argv[1]);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Check if device is already bound */
+	ret = device_find_global_by_ofnode(node, &dev);
+	if (!ret) {
+		printf("Device '%s' is already enabled\n", argv[1]);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Bind the device from device tree */
+	ret = lists_bind_fdt(gd->dm_root, node, &dev, NULL, false);
+	if (ret) {
+		printf("Failed to bind device '%s' (err %dE)\n", argv[1],
+		       ret);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Probe the device */
+	ret = device_probe(dev);
+	if (ret) {
+		printf("Failed to probe device '%s' (err %dE)\n", argv[1],
+		       ret);
+		return CMD_RET_FAILURE;
+	}
+
+	printf("Device '%s' enabled\n", dev->name);
+
+	return CMD_RET_SUCCESS;
+}
+
+static int do_sb_devoff(struct cmd_tbl *cmdtp, int flag, int argc,
+			char *const argv[])
+{
+	struct udevice *dev;
+	ofnode root, node;
+	int ret;
+
+	if (argc != 2)
+		return CMD_RET_USAGE;
+
+	/* Find the specified device tree node */
+	root = oftree_root(oftree_default());
+	node = ofnode_find_subnode(root, argv[1]);
+	if (!ofnode_valid(node)) {
+		printf("Device tree node '%s' not found\n", argv[1]);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Find the device bound to this node */
+	ret = device_find_global_by_ofnode(node, &dev);
+	if (ret) {
+		printf("Device '%s' not found or not bound (err %dE)\n",
+		       argv[1], ret);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Remove the device (deactivate it) */
+	ret = device_remove(dev, DM_REMOVE_NORMAL);
+	if (ret) {
+		printf("Failed to remove device '%s' (err %dE)\n", argv[1],
+		       ret);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Unbind the device */
+	ret = device_unbind(dev);
+	if (ret) {
+		printf("Failed to unbind device '%s' (err %dE)\n", argv[1],
+		       ret);
+		return CMD_RET_FAILURE;
+	}
+
+	printf("Device '%s' disabled\n", argv[1]);
+
+	return CMD_RET_SUCCESS;
+}
+
 U_BOOT_LONGHELP(sb,
-	"handoff     - Show handoff data received from SPL\n"
-	"sb map         - Show mapped memory\n"
-	"sb state       - Show sandbox state");
+	"devoff <node>  - Disable device from device tree node\n"
+	"sb devon <node>   - Enable device from device tree node\n"
+	"sb handoff        - Show handoff data received from SPL\n"
+	"sb map            - Show mapped memory\n"
+	"sb state          - Show sandbox state");
 
 U_BOOT_CMD_WITH_SUBCMDS(sb, "Sandbox status commands", sb_help_text,
+	U_BOOT_SUBCMD_MKENT(devoff, 2, 1, do_sb_devoff),
+	U_BOOT_SUBCMD_MKENT(devon, 2, 1, do_sb_devon),
 	U_BOOT_SUBCMD_MKENT(handoff, 1, 1, do_sb_handoff),
 	U_BOOT_SUBCMD_MKENT(map, 1, 1, do_sb_map),
 	U_BOOT_SUBCMD_MKENT(state, 1, 1, do_sb_state));
diff --git a/doc/usage/cmd/sb.rst b/doc/usage/cmd/sb.rst
index 37431aff7c8..ee9b3d80767 100644
--- a/doc/usage/cmd/sb.rst
+++ b/doc/usage/cmd/sb.rst
@@ -11,6 +11,8 @@ Synopsis
 
 ::
 
+    sb devoff <node>
+    sb devon <node>
     sb handoff
     sb map
     sb state
@@ -19,7 +21,24 @@ Description
 -----------
 
 The *sb* command is used to display information about sandbox's internal
-operation. See :doc:`/arch/sandbox/index` for more information.
+operation and to manage devices. See :doc:`/arch/sandbox/index` for more
+information.
+
+sb devoff
+~~~~~~~~~
+
+This disables a device that was previously enabled with *sb devon*. The device
+is removed (deactivated) and unbound from the driver model. The parameter is
+the name of a device tree node.
+
+sb devon
+~~~~~~~~
+
+This enables a device from the device tree. The device tree node is located,
+bound to the driver model, and probed (activated). This is useful for testing
+devices that are not automatically bound at startup, i.e. those marked as
+status = "disabled" in the device tree. The parameter is the name of a root
+devicetree node.
 
 sb handoff
 ~~~~~~~~~~
@@ -54,6 +73,25 @@ command-line with which sandbox was started.
 Example
 -------
 
+This shows enabling a device from the `test.dts` device tree. Note that sandbox
+must be run with the -T flag to use the test device tree::
+
+    => sb devon mmc11
+    Device 'mmc11' enabled
+    => ls mmc b
+                extlinux/
+            7   initrd.img-6.8.0-53-generic
+         1616   vmlinuz-6.8.0-53-generic
+
+    2 file(s), 1 dir(s)
+
+    => sb devoff mmc11
+    Device 'mmc11' disabled
+    => ls mmc b
+    ** Bad device specification mmc b **
+    Couldn't find partition mmc b
+    =>
+
 This shows checking for the presence of SPL-handoff information. For this to
 work, ``u-boot-spl`` must be run, with build that enables ``CONFIG_SPL``, such
 as ``sandbox_spl``::
diff --git a/test/cmd/Makefile b/test/cmd/Makefile
index 9cd8ea3aaf0..4d8f93e2551 100644
--- a/test/cmd/Makefile
+++ b/test/cmd/Makefile
@@ -41,6 +41,7 @@ obj-$(CONFIG_CMD_MBR) += mbr.o
 obj-$(CONFIG_CMD_PINMUX) += pinmux.o
 obj-$(CONFIG_CMD_PWM) += pwm.o
 obj-$(CONFIG_CMD_READ) += rw.o
+obj-y += sb.o
 obj-$(CONFIG_CMD_SETEXPR) += setexpr.o
 obj-$(CONFIG_CMD_SMBIOS) += smbios.o
 obj-$(CONFIG_CMD_TEMPERATURE) += temperature.o
diff --git a/test/cmd/sb.c b/test/cmd/sb.c
new file mode 100644
index 00000000000..cb871dffd57
--- /dev/null
+++ b/test/cmd/sb.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Test for sb command
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ */
+
+#include <dm.h>
+#include <dm/test.h>
+#include <test/test.h>
+#include <test/ut.h>
+
+/* Basic test of 'sb devon' and 'sb devoff' commands */
+static int dm_test_sb_devon_devoff(struct unit_test_state *uts)
+{
+	struct udevice *dev;
+	ofnode root, node;
+
+	/* Find the mmc11 device tree node */
+	root = oftree_root(oftree_default());
+	node = ofnode_find_subnode(root, "mmc11");
+	ut_assert(ofnode_valid(node));
+
+	/* Verify device is not initially bound */
+	ut_assert(device_find_global_by_ofnode(node, &dev));
+
+	/* Enable the device using 'sb devon' */
+	ut_assertok(run_command("sb devon mmc11", 0));
+	ut_assert_nextline("Device 'mmc11' enabled");
+	ut_assert_console_end();
+
+	/* Verify device is now bound and probed */
+	ut_assertok(device_find_global_by_ofnode(node, &dev));
+	ut_assertnonnull(dev);
+	ut_assert(device_active(dev));
+
+	/* Disable the device using 'sb devoff' */
+	ut_assertok(run_command("sb devoff mmc11", 0));
+	ut_assert_nextline("Device 'mmc11' disabled");
+	ut_assert_console_end();
+
+	/* Verify device is no longer bound */
+	ut_assert(device_find_global_by_ofnode(node, &dev));
+
+	return 0;
+}
+DM_TEST(dm_test_sb_devon_devoff, UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test 'sb devon' with invalid node */
+static int dm_test_sb_devon_invalid(struct unit_test_state *uts)
+{
+	/* Try to enable non-existent device */
+	ut_asserteq(1, run_command("sb devon nonexistent", 0));
+	ut_assert_nextline("Device tree node 'nonexistent' not found");
+	ut_assert_console_end();
+
+	return 0;
+}
+DM_TEST(dm_test_sb_devon_invalid, UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test 'sb devoff' with invalid node */
+static int dm_test_sb_devoff_invalid(struct unit_test_state *uts)
+{
+	/* Try to disable non-existent device */
+	ut_asserteq(1, run_command("sb devoff nonexistent", 0));
+	ut_assert_nextline("Device tree node 'nonexistent' not found");
+	ut_assert_console_end();
+
+	return 0;
+}
+DM_TEST(dm_test_sb_devoff_invalid, UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test 'sb devon' on device that's already enabled */
+static int dm_test_sb_devon_already_enabled(struct unit_test_state *uts)
+{
+	/* Enable the device first */
+	ut_assertok(run_command("sb devon mmc11", 0));
+	ut_assert_nextline("Device 'mmc11' enabled");
+	ut_assert_console_end();
+
+	/* Try to enable it again - should fail */
+	ut_asserteq(1, run_command("sb devon mmc11", 0));
+	ut_assert_nextline("Device 'mmc11' is already enabled");
+	ut_assert_console_end();
+
+	/* Clean up - disable the device */
+	ut_assertok(run_command("sb devoff mmc11", 0));
+	ut_assert_nextline("Device 'mmc11' disabled");
+	ut_assert_console_end();
+
+	return 0;
+}
+DM_TEST(dm_test_sb_devon_already_enabled, UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test 'sb devoff' on device that's not bound */
+static int dm_test_sb_devoff_not_bound(struct unit_test_state *uts)
+{
+	struct udevice *dev;
+	ofnode root, node;
+
+	/* Find the mmc11 device tree node */
+	root = oftree_root(oftree_default());
+	node = ofnode_find_subnode(root, "mmc11");
+	ut_assert(ofnode_valid(node));
+
+	/* Ensure device is not bound (clean up from any previous test) */
+	if (!device_find_global_by_ofnode(node, &dev)) {
+		ut_assertok(run_command("sb devoff mmc11", 0));
+		ut_assert_nextlinen("Device 'mmc11' disabled");
+		ut_assert_console_end();
+	}
+
+	/* Verify device is not bound */
+	ut_assert(device_find_global_by_ofnode(node, &dev));
+
+	/* Try to disable a device that's not bound */
+	ut_asserteq(1, run_command("sb devoff mmc11", 0));
+	ut_assert_nextlinen("Device 'mmc11' not found or not bound");
+	ut_assert_console_end();
+
+	return 0;
+}
+DM_TEST(dm_test_sb_devoff_not_bound, UTF_SCAN_FDT | UTF_CONSOLE);

From patchwork Fri Oct 31 06:54:03 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 657
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893731;
	bh=Y383pT3hhGRtxCQTSqmwfjN1JfXyAOijBWJltbl1eYg=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=gy7I+IznnhjNtUDqh4g2YoKAVqCz2KzKlcEoKV2gz2x2kLxz0IuClNy05sP/cgnBF
	 HtGOEZlYNX41skht4sp6iDmJhn9sTeF2abhEz/DeWxUJhY2pWEuGf/PDO5JcByE59I
	 WK8bGC4PZ3FrfbNkYuRDAVa3+Yuv7j0qik1H0VxaA7xyVZFLBV6iTJA4z39hV0i2pq
	 X/Nm7XFjllR5UaRzK6yS0nis/oPxGjnIj7V4YejO+LFGMeZBSII9NF5sQZ/E3Bx0bt
	 HaTtlh7LpkkBYpo7DTBzZUusGUH2KeXbU98u7zaTwgi/bspmRz/WO745sm/6U1LHo8
	 N4kdHaKr+8Dew==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 9091B68356
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:31 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id kMvTc26mt65o for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:31 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893731;
	bh=Y383pT3hhGRtxCQTSqmwfjN1JfXyAOijBWJltbl1eYg=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=gy7I+IznnhjNtUDqh4g2YoKAVqCz2KzKlcEoKV2gz2x2kLxz0IuClNy05sP/cgnBF
	 HtGOEZlYNX41skht4sp6iDmJhn9sTeF2abhEz/DeWxUJhY2pWEuGf/PDO5JcByE59I
	 WK8bGC4PZ3FrfbNkYuRDAVa3+Yuv7j0qik1H0VxaA7xyVZFLBV6iTJA4z39hV0i2pq
	 X/Nm7XFjllR5UaRzK6yS0nis/oPxGjnIj7V4YejO+LFGMeZBSII9NF5sQZ/E3Bx0bt
	 HaTtlh7LpkkBYpo7DTBzZUusGUH2KeXbU98u7zaTwgi/bspmRz/WO745sm/6U1LHo8
	 N4kdHaKr+8Dew==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 8081368321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:31 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893730;
	bh=kIudzp3K6Spdm7KwM/KO7UD1yka1RzqEn1F8pt6Q3wE=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=T04WswkTZ9lFQhmmXI31H1TRGSxT3tblbBv9irp1GCwraWSQqkpsoBm3zKP9xfFkt
	 4Eo+KOAkcGTgQbYkSYNoPtHFkfGihxxX7Te9RkEJOwEzSyDKhyrmDXDsDyZci/UH/7
	 rW9aRC+/yv1J4zsuKbL2Ah1lHk2w8tEz3PZsR0+XOTJYOH4eT6P6etvz5XziA4RTot
	 Ao1KOYNje659xp78q7LRGUpBNzjptOmeyWMnMVVidKF77xXli+caSf6Frh3hjD1kWm
	 cdF4ZyKeSeNYBlefin+uk38Lp/wSxehXFQA1NQPVfylTcAtKwV9WHoJvYBz3cBnIoP
	 QY4dsuCl7Eg3A==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4574F682E9;
	Fri, 31 Oct 2025 00:55:30 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id bc7u17qmK8p3; Fri, 31 Oct 2025 00:55:30 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893726;
	bh=Qo4E7IWtqfb9u468IYSSiuO1sQ3sH4L1/4Vfx05vTzo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=ZNlR37nickDF1RB+sCsEzTdF0nxCVaCGdtGCRFNU1YYp3D2DyFe23AWuBoM+uoIwt
	 aUO680SlVLJFnmkaU7dzProlyqYfaKTl2NjfJ/zJJgfKH6WDG6jsYf+z6fJTgT5K+K
	 0NvfpFMR1q4+ztFQxy7mSDb+O99a5XLnJLIEeIQDBO97mhXvcbHUpS2EyJw61a/Xwu
	 pl5fdwmoGdXAkWQKffMZX7/gB0L3drmGN9ErPtUE9Jt3dLwntgh8C2GzkhOxWWAxxg
	 Fw/0no4gC33z9qV00vZy6gOSQv/XSNbMGZk9bz/oqyeQkIhRVgY9GXy582Pd6k+Ow+
	 wETVFldVp4qBg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 05506682CD;
	Fri, 31 Oct 2025 00:55:25 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:03 -0600
Message-ID: <20251031065439.3251464-8-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: BMNVTYMMAHIYZRRAUFWIOFMTII3VCKQ2
X-Message-ID-Hash: BMNVTYMMAHIYZRRAUFWIOFMTII3VCKQ2
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 07/24] mbedtls: hash: Provide the mbedtls hash type
 in the
 hash interface
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/BMNVTYMMAHIYZRRAUFWIOFMTII3VCKQ2/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

The mbedtls hashing has not been integrated into U-Boot's hash API. As a
first step, add the mbedtls hash type into struct hash_algo and provide
the values. This allows looking up the type by its name.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 common/hash.c  |  5 +++++
 include/hash.h | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/common/hash.c b/common/hash.c
index 0c45992d5c7..2e3b12c109a 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -212,6 +212,7 @@ static struct hash_algo hash_algo[] = {
 		.digest_size	= MD5_SUM_LEN,
 		.chunk_size	= CHUNKSZ_MD5,
 		.hash_func_ws	= md5_wd,
+		HASH_MBEDTLS_TYPE(MBEDTLS_MD_MD5)
 	},
 #endif
 #if CONFIG_IS_ENABLED(SHA1)
@@ -233,6 +234,7 @@ static struct hash_algo hash_algo[] = {
 		.hash_update	= hash_update_sha1,
 		.hash_finish	= hash_finish_sha1,
 #endif
+		HASH_MBEDTLS_TYPE(MBEDTLS_MD_SHA1)
 	},
 #endif
 #if CONFIG_IS_ENABLED(SHA256)
@@ -254,6 +256,7 @@ static struct hash_algo hash_algo[] = {
 		.hash_update	= hash_update_sha256,
 		.hash_finish	= hash_finish_sha256,
 #endif
+		HASH_MBEDTLS_TYPE(MBEDTLS_MD_SHA256)
 	},
 #endif
 #if CONFIG_IS_ENABLED(SHA384)
@@ -275,6 +278,7 @@ static struct hash_algo hash_algo[] = {
 		.hash_update	= hash_update_sha384,
 		.hash_finish	= hash_finish_sha384,
 #endif
+		HASH_MBEDTLS_TYPE(MBEDTLS_MD_SHA384)
 	},
 #endif
 #if CONFIG_IS_ENABLED(SHA512)
@@ -296,6 +300,7 @@ static struct hash_algo hash_algo[] = {
 		.hash_update	= hash_update_sha512,
 		.hash_finish	= hash_finish_sha512,
 #endif
+		HASH_MBEDTLS_TYPE(MBEDTLS_MD_SHA512)
 	},
 #endif
 #if CONFIG_IS_ENABLED(CRC16)
diff --git a/include/hash.h b/include/hash.h
index 8b3f79ec473..46a2be72f7e 100644
--- a/include/hash.h
+++ b/include/hash.h
@@ -10,6 +10,15 @@
 #include <linux/kconfig.h>
 #endif
 
+#if !defined(USE_HOSTCC) && CONFIG_IS_ENABLED(MBEDTLS_LIB)
+#include <mbedtls_options.h>
+#include <mbedtls/md.h>
+
+#define HASH_MBEDTLS_TYPE(_val)	.md_type	= _val,
+#else
+#define HASH_MBEDTLS_TYPE(_val)
+#endif
+
 struct cmd_tbl;
 
 /*
@@ -44,6 +53,9 @@ struct hash_algo {
 	void (*hash_func_ws)(const unsigned char *input, unsigned int ilen,
 		unsigned char *output, unsigned int chunk_sz);
 	int chunk_size;				/* Watchdog chunk size */
+#if !defined(USE_HOSTCC) && CONFIG_IS_ENABLED(MBEDTLS_LIB)
+	mbedtls_md_type_t md_type;		/* mbedtls hash type */
+#endif
 	/*
 	 * hash_init: Create the context for progressive hashing
 	 *
@@ -120,7 +132,26 @@ int hash_command(const char *algo_name, int flags, struct cmd_tbl *cmdtp,
 int hash_block(const char *algo_name, const void *data, unsigned int len,
 	       uint8_t *output, int *output_size);
 
-#endif /* !USE_HOSTCC */
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB)
+static inline mbedtls_md_type_t hash_mbedtls_type(struct hash_algo *algo)
+{
+	return algo->md_type;
+}
+#else
+static inline int hash_mbedtls_type(struct hash_algo *algo)
+{
+	return 0;
+}
+#endif
+
+#else /* USE_HOSTCC*/
+
+static inline int hash_mbedtls_type(struct hash_algo *algo)
+{
+	return 0;
+}
+
+#endif /* USE_HOSTCC */
 
 /**
  * hash_lookup_algo() - Look up the hash_algo struct for an algorithm

From patchwork Fri Oct 31 06:54:04 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 658
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893736;
	bh=FgswktyNpXkNy1P+PHmra8TpT6J/5YeaK4ALxYPu3gc=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=Mv7MmyKKYscB2NQG+oqQSbLQfwCMNTdaQ6b3/RO62JnQwJ6HXIqFomMeRcrGyNL/f
	 /uVmCMlgpRL/IW2eTeDUMfmvvA6sGulOjJZQXO7pTTN/BmhS/yGmOWs88FpHGDEo/a
	 qEbmUs+Z7Bniuv8uwFezstGTg2qi1d7KdoZfFxTvihXFXMBeSXxl3BX+g9ZR/8O8Yp
	 Wg2H+vC2qbX220wTNtmgNRJ6Ivh7GtKD8mDC3Nk7Q1oaYFX/faU2PQcPrBREWzQ2Wg
	 UDh6yvuIU97+VBQbeHRGYSJnnokvIDLdDCUFsYys2jtpXTnk0NIBc70P9g4+YLOaH7
	 aJZiRshwVAlLg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 5073E68362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:36 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id cd6Qa0bFNyk0 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:36 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893736;
	bh=FgswktyNpXkNy1P+PHmra8TpT6J/5YeaK4ALxYPu3gc=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=Mv7MmyKKYscB2NQG+oqQSbLQfwCMNTdaQ6b3/RO62JnQwJ6HXIqFomMeRcrGyNL/f
	 /uVmCMlgpRL/IW2eTeDUMfmvvA6sGulOjJZQXO7pTTN/BmhS/yGmOWs88FpHGDEo/a
	 qEbmUs+Z7Bniuv8uwFezstGTg2qi1d7KdoZfFxTvihXFXMBeSXxl3BX+g9ZR/8O8Yp
	 Wg2H+vC2qbX220wTNtmgNRJ6Ivh7GtKD8mDC3Nk7Q1oaYFX/faU2PQcPrBREWzQ2Wg
	 UDh6yvuIU97+VBQbeHRGYSJnnokvIDLdDCUFsYys2jtpXTnk0NIBc70P9g4+YLOaH7
	 aJZiRshwVAlLg==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4025E68321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:36 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893734;
	bh=beBtAKnF6ygP1KtsgFuAEBkK7BcHRBrVUT4ZAzLJWZ4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Dj+BeS2rY2471M95ojF6OHp77O09Y624uRgyI6MU3VC6LbyoJGDGNdePAieltX7XW
	 uC/u/RJPc2WPG1v/pRyReknkHaHyd1UmUdwSi8kU/7B1ikpYhUu1j5Q3TGAV3G9gzV
	 Jg9jjcxqg1WIeaLut1iw5U7rrDFznAZiv0KFgTNZnw18XTi2rHfFKt5wHxfbtNmALd
	 7X0N63ROLV2hxFkQ33NjJ72OWFFEj1/uakOCYUMHrjO9liplcellTid0b6kSnVo6ig
	 pkiw4slYn+IMUqrk9Tp5UMpmPtNUz8abNdlEhdbtEhLD7FxrpDCvM7wkMIAes0MtBM
	 v2DkZ5HH3Fv2A==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DD0A968321;
	Fri, 31 Oct 2025 00:55:34 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id og7YVk-YIetO; Fri, 31 Oct 2025 00:55:34 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893730;
	bh=CXriC3nx9LoK4pSPRJ46vMqJiBtsNp9EE8tgQ2zYAqo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=KGt9pjxIArMVlBvJo3jZ9saDDq+3lSx+/rxBe3lJ7ekAMUfMr9w+wDDDEnsNb0FcD
	 DLUwuvJpryDOD82yzGlfc5ECfO5c/oC7EASYwgvHAmit8d8nPaeRYwIipi9fd3Wc3U
	 zs0jT+3CYDOR3B/8XpSJYMryOCO1LBGJgxksjBN42yJS+v47KcSqnVDiOkQa/I8WZO
	 VR7SKRULL4iql6kRgetrU27z7dx0r3SVg3FwxyiKNjPstUtcYlJE34/Z0otf3EuiH6
	 YLO8/ZbPDi8STtDm2Ro9ZSJqLkitoJ+OEFtRYgtgGvStC48hP4VitnkvN5egpzBGGB
	 AFUtiJwRUuVMg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 8B4B7682CD;
	Fri, 31 Oct 2025 00:55:30 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:04 -0600
Message-ID: <20251031065439.3251464-9-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C
X-Message-ID-Hash: QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 08/24] mbedtls: Allow use of PKCS#5 functions
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add a few Kconfig options to allow PKCS#5 (PBKDF2) to be used within
U-Boot

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 lib/mbedtls/Kconfig              | 14 ++++++++++++++
 lib/mbedtls/Makefile             |  2 ++
 lib/mbedtls/mbedtls_def_config.h |  4 ++++
 3 files changed, 20 insertions(+)

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 789721ee6cd..2af043ba5b1 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -231,6 +231,13 @@ config HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library.
 
+config PKCS5_MBEDTLS
+	bool "Enable PKCS#5 support with MbedTLS crypto library"
+	depends on MBEDTLS_LIB_CRYPTO
+	help
+	  This option enables support of PKCS#5 functions (PBKDF2) with
+	  MbedTLS crypto library. Required for LUKS decryption.
+
 endif # MBEDTLS_LIB_CRYPTO
 
 config MBEDTLS_LIB_X509
@@ -489,6 +496,13 @@ config SPL_HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library in SPL.
 
+config SPL_PKCS5_MBEDTLS
+	bool "Enable PKCS#5 support with MbedTLS crypto library (SPL)"
+	depends on SPL_MBEDTLS_LIB_CRYPTO
+	help
+	  This option enables support of PKCS#5 functions (PBKDF2) with
+	  MbedTLS crypto library in SPL. Required for LUKS decryption.
+
 endif # SPL_MBEDTLS_LIB_CRYPTO
 
 config SPL_MBEDTLS_LIB_X509
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index c5b445bd85c..0506a5a6b3e 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -35,6 +35,8 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/sha512.o
 mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/hkdf.o
+mbedtls_lib_crypto-$(CONFIG_$(PHASE_)PKCS5_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/pkcs5.o
 
 # MbedTLS X509 library
 obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index dda3f4dd6e4..9e3beed07f4 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -60,6 +60,10 @@
 #define MBEDTLS_HKDF_C
 #endif
 
+#if CONFIG_IS_ENABLED(PKCS5_MBEDTLS)
+#define MBEDTLS_PKCS5_C
+#endif
+
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
 
 #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)

From patchwork Fri Oct 31 06:54:05 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 659
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893740;
	bh=t+1BGYO57CFKx4PDNVw5zjXa4p7HyKpf5dsovbCIrj8=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=k+hAKGyXliR/EodAG/O3fzqhiQXt9w1hC5RTfKAwZMtnE5Lwpq6yCsNudTD9WU80H
	 RhXY78lfsh5UL/x1Ev1qvRN75hNGdKVMShEjeK0RuQ53dPeJhssilGkIrAQ3JkWACe
	 02cXVE9YOsLOWBDnV9BY/GfYTELpNOBB7fauY2HCIj4vKJ8fpgZgwyZKQLOxy1sAZE
	 6S4s+MChouwpRE43I1nbLR+GBQBFGak9z+efyzqvROxJShZ0vVP5nIIEALdjOnIlgE
	 dSv8egewyGSbgs3VsN1SyK3/q9qWR1PcyQa3khXlvoFBfRdKDQ5o4K3LyMjFW+3xBI
	 4r0h3KM2HaMrw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id C96AC68368
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:40 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id QXc0oM-NmM2X for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:40 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893740;
	bh=t+1BGYO57CFKx4PDNVw5zjXa4p7HyKpf5dsovbCIrj8=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=k+hAKGyXliR/EodAG/O3fzqhiQXt9w1hC5RTfKAwZMtnE5Lwpq6yCsNudTD9WU80H
	 RhXY78lfsh5UL/x1Ev1qvRN75hNGdKVMShEjeK0RuQ53dPeJhssilGkIrAQ3JkWACe
	 02cXVE9YOsLOWBDnV9BY/GfYTELpNOBB7fauY2HCIj4vKJ8fpgZgwyZKQLOxy1sAZE
	 6S4s+MChouwpRE43I1nbLR+GBQBFGak9z+efyzqvROxJShZ0vVP5nIIEALdjOnIlgE
	 dSv8egewyGSbgs3VsN1SyK3/q9qWR1PcyQa3khXlvoFBfRdKDQ5o4K3LyMjFW+3xBI
	 4r0h3KM2HaMrw==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id B96A768362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:40 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893739;
	bh=KAiLOO9PTTlOYahOOHxUxoTSm+wagJ1tBuqMPIU4H5k=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=UT6j9QYat6bvNGBLwiW5BwCW5jEU9X/87vxhq6gzE1YRgjmJRCLF2h9QKFb2SHDFt
	 ZSpQMn9C5chiijKXEIHfV8c339sYoJaGsr2GT/WnnW2bJv3Mpjh5TLkRg0z3hT1j0b
	 32XJleBPAXggstRy2i5WDmT7zhZXbJ3KUR3SiYaLsOk0o11QHG0C6ejwajQclIpKqj
	 FnDNmtsxQUXWAnalwWf20z8KpXuytDlR2ze3lCv/99lByGsi1ByvptoEkHDDD95E9A
	 QHtXJUvbhQuTlr8Adzr8Z8e75VoRCYMRNrZm8fDMFNCmk0pl0L/55ZOVRcEP9VZshU
	 o25SQd+U/PFog==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 630AD6827C;
	Fri, 31 Oct 2025 00:55:39 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id doSQGA_MiSLd; Fri, 31 Oct 2025 00:55:39 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893735;
	bh=3xr/zMfe29nUFethVrcKvMYVCPaNgWofh1qjsLmZkXQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Yf54AI88mSWBDwIsuM9pxOyax5oNx5OdA+S4NDWKyOiXF36AFmERnAWZoD4BnrQB5
	 OMgod7LTT++qgQbyXSe+O3mA2vHYfyR9veIEUh6YHF6lrMyV/QwWvLkRwBS+5nJHSk
	 3kN9tphRjJRqKaMQcVG0pZz+jz8+vLdrjAQClefa4Dqj/hVOj/iucRGIoqaEyFV/52
	 h96EWQTQ7q0dMG1yjzwN2Wnbcxq8Sm8IBaK/lwIYLuU96t7fckjVJbmdg+SLpoGw9B
	 gmYQYNTkYRMFJM1SwMcNJVAYBVxNagwMipVKigpEICRxk+9sjVuCpOaTZJEdKDmITr
	 wEgFhlEuz3ZAg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 273DD682CD;
	Fri, 31 Oct 2025 00:55:35 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:05 -0600
Message-ID: <20251031065439.3251464-10-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: EYVS3OCAUZ7EV5TWAEE3OH3IIWP76FI7
X-Message-ID-Hash: EYVS3OCAUZ7EV5TWAEE3OH3IIWP76FI7
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 09/24] test/py: Support creating space after a
 filesystem
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/EYVS3OCAUZ7EV5TWAEE3OH3IIWP76FI7/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

At present the partition size is always the same as the filesystem
within it. Add a way to specify a larger size, to make space for LUTS
tables needed for full-disk encryption.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 test/py/tests/fs_helper.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/test/py/tests/fs_helper.py b/test/py/tests/fs_helper.py
index baf61cbd232..e4ac946064f 100644
--- a/test/py/tests/fs_helper.py
+++ b/test/py/tests/fs_helper.py
@@ -42,7 +42,7 @@ class FsHelper:
         fs_img (str): Filename for the filesystem image; this is set to a
             default value but can be overwritten
     """
-    def __init__(self, config, fs_type, size_mb, prefix):
+    def __init__(self, config, fs_type, size_mb, prefix, part_mb=None):
         """Set up a new object
 
         Args:
@@ -51,6 +51,9 @@ class FsHelper:
                 fat12, fat16, fat32, exfat, fs_generic (which means vfat)
             size_mb (int): Size of file system in MB
             prefix (str): Prefix string of volume's file name
+            part_mb (int, optional): Size of partition in MB. If None, defaults
+                to size_mb. This can be used to make the partition larger than
+                the filesystem, to create space for disk-encryption metadata
         """
         if ('fat' not in fs_type and 'ext' not in fs_type and
              fs_type not in ['exfat', 'fs_generic']):
@@ -59,6 +62,7 @@ class FsHelper:
         self.config = config
         self.fs_type = fs_type
         self.size_mb = size_mb
+        self.partition_mb = part_mb if part_mb is not None else size_mb
         self.prefix = prefix
         self.quiet = True
 
@@ -222,10 +226,10 @@ class DiskHelper:
         for fsi, part_type, bootable in self.fs_list:
             if spec:
                 spec += '\n'
-            spec += f'type={part_type:x}, size={fsi.size_mb}M, start={pos}M'
+            spec += f'type={part_type:x}, size={fsi.partition_mb}M, start={pos}M'
             if bootable:
                 spec += ', bootable'
-            pos += fsi.size_mb
+            pos += fsi.partition_mb
 
         img_size = pos
         try:
@@ -241,7 +245,7 @@ class DiskHelper:
             check_call(
                 f'dd if={fsi.fs_img} of={self.fname} bs=1M seek={pos} conv=notrunc',
                 shell=True)
-            pos += fsi.size_mb
+            pos += fsi.partition_mb
         return self.fname
 
     def cleanup(self):

From patchwork Fri Oct 31 06:54:06 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 660
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893745;
	bh=eT167ydoiF+kapiyDcUUO3VN4BKbvicxxBZVsgJgs3g=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=QFr0dqEgXI3H0/eb2qhWeWWZulQWlohleb5FBP7KHvXFJC2YEnc4OSpR/Eo8wfOE5
	 +YeXqM/9+JLrljbV0xpZt4DIqiTXXasdsvpcOx9TioBD2JJBSurO6uX45V5NobzpqK
	 628uZoMtT4c/eidWFLjRoRgPdMLC+/28cVI4LqXfw7LtX6Lv8FYRfqjIq9ombzoCvT
	 AJDflHurPGqRVmHghMg0oKmwSpZfpwis/yjjO6DWXTiNUu9an6M7QGEg/wPy2YdEXv
	 Kj2J8h/PPJCHggtyi1Eut17mD8cBJ6TvCy6oM2kuEixjxRYDGFxWWxw+zShEuNGXBq
	 cvB2oYBsAxMqw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4162268346
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:45 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id nC9_kaIClPCQ for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:45 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893745;
	bh=eT167ydoiF+kapiyDcUUO3VN4BKbvicxxBZVsgJgs3g=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=QFr0dqEgXI3H0/eb2qhWeWWZulQWlohleb5FBP7KHvXFJC2YEnc4OSpR/Eo8wfOE5
	 +YeXqM/9+JLrljbV0xpZt4DIqiTXXasdsvpcOx9TioBD2JJBSurO6uX45V5NobzpqK
	 628uZoMtT4c/eidWFLjRoRgPdMLC+/28cVI4LqXfw7LtX6Lv8FYRfqjIq9ombzoCvT
	 AJDflHurPGqRVmHghMg0oKmwSpZfpwis/yjjO6DWXTiNUu9an6M7QGEg/wPy2YdEXv
	 Kj2J8h/PPJCHggtyi1Eut17mD8cBJ6TvCy6oM2kuEixjxRYDGFxWWxw+zShEuNGXBq
	 cvB2oYBsAxMqw==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 30FF8682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:45 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893744;
	bh=td52+cWtLrNDFaOtQ2k3IefhaWRLLmRjiwwoQTU7P6c=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=H3SiCkbwOjVrFHUfbKHRlfcWH9nf7b7sewbkuuEHsdYevgTKI6PI4uSbtBm7vaJsM
	 lZYDYnVQk0Ktr47Ca6blpReSDLHbllyE65Ih8H7tIKHCyh9EoMuydoaaSkZZW9+qzO
	 0AE2JWTo3lGgDz1rcp/YM/yFalRMlWTKv/zzOcmdniglbPXJwgBtSyOvjQJ4urFrNo
	 by5ozp6sNzmSLvSm5KBgUSDwtnj0yiqhEi09KGmTYN0kOnVSB6wgT/bYylk52voAZW
	 HPKZru3JnY5XVkJhYCfIdEmERWWE8DeqhLSKXeRqoHmUPkO9ew7xeu/CKdkkGK4440
	 7IcFtE/98pn0w==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 148346827C;
	Fri, 31 Oct 2025 00:55:44 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id plpo_4AZL2io; Fri, 31 Oct 2025 00:55:44 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893739;
	bh=P0jk8XNVRgVtJrZrk5J2ExH+xqeo8K54aHXPA/zFn0Y=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=F7qXupm/GUqcgI7EuXlUQ/bWoNr9Hs/orw+jzgB/o3ekt/kNQBIb0WyrmbPyW3XES
	 uJNstEPjuudUSOAvS5D4fvmif8uncOSsb6m6LAc8Z1zv+Khlx7ZgZm8nq4KdTjYHDf
	 wtHdfmTvXFLx6r6HkNalWBHeBIEUSUPG4F5rteiPk/xQRz47lFy8wsOs6AAmYzyu/e
	 F+83S1O5MROMM4Pcb+BRqRqJwfmxWhzzH6R7070qwy+xFk+pl9QIRAKesQUxSSRJHL
	 mCeo8ufEH5NETQzxwpqNP2laclXMmUT36W81SXJ0/S3G39tnh8owIf9i6cNO2bpAWJ
	 w3iEkGm1F1fEQ==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id A4897682CD;
	Fri, 31 Oct 2025 00:55:39 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:06 -0600
Message-ID: <20251031065439.3251464-11-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: NZSNVCOMMJXRJW6W7KAHFIBYKAASIVW4
X-Message-ID-Hash: NZSNVCOMMJXRJW6W7KAHFIBYKAASIVW4
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 10/24] test/py: Support FDE with the extlinux image
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/NZSNVCOMMJXRJW6W7KAHFIBYKAASIVW4/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add a parameter to indicate the size of the root partition so that it
can have space for the LUTS metadata.

Move the import of gzip to the top of the file while we are here.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 test/py/img/common.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/test/py/img/common.py b/test/py/img/common.py
index c9be6a22362..a08744fbb76 100644
--- a/test/py/img/common.py
+++ b/test/py/img/common.py
@@ -3,6 +3,7 @@
 
 """Common utilities for image creation"""
 
+import gzip
 import os
 
 import utils
@@ -32,7 +33,7 @@ def copy_partition(ubman, fsfile, outname):
 
 
 def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
-                         script):
+                         script, part2_size=1):
     """Create a 20MB disk image with a single FAT partition
 
     Args:
@@ -44,9 +45,8 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
         initrd (str): Ramdisk filename
         dtbdir (str or None): Devicetree filename
         script (str): Script to place in the extlinux.conf file
+        part2_size (int): Size of second partition in MB (default: 1)
     """
-    import gzip
-    
     fsh = FsHelper(config, 'vfat', 18, prefix=basename)
     fsh.setup()
 
@@ -79,8 +79,15 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
     img = DiskHelper(config, devnum, basename, True)
     img.add_fs(fsh, DiskHelper.VFAT, bootable=True)
 
-    ext4 = FsHelper(config, 'ext4', 1, prefix=basename)
+    ext4 = FsHelper(config, 'ext4', max(1, part2_size - 30), prefix=basename,
+                    part_mb=part2_size)
     ext4.setup()
+
+    bindir = os.path.join(ext4.srcdir, 'bin')
+    mkdir_cond(bindir)
+    with open(os.path.join(bindir, 'bash'), 'w', encoding='ascii') as fd:
+        print('bash', file=fd)
+
     ext4.mk_fs()
 
     img.add_fs(ext4, DiskHelper.EXT4)

From patchwork Fri Oct 31 06:54:07 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 661
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893750;
	bh=/vJEnEDop6tSXqNZLGPq0b6umWkABYxLbD7vuNfjTdQ=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=B6RhD3lnN27FEAL5jBKUFENwZxsx6Red85yftsaOm4D4KWJ6HUW1rZfzlJnKfvt8a
	 CxHFKnarBcEJKaRO/m/w1/BvLS5FjWy1N4zqrUMeGOIhynVLMKdwWi4ea2H+cpDXX4
	 mqIvm8qAxAsDKnDkaAyWsRiMkeyGDLMXcZ+4fcTdhk+2H5LbPYzvXjpzyMKjRhSXux
	 PmqMAWpHCKUqemCYS1+adeRfpHuqPNF98jpZQYIlPV06kg9+i+u6oVhadu/VB6UTi6
	 uIcmXpbngWT4mruvgmfPE7RvZUVUelHVe8uTRkUBRoWyRA8Z7ayTvi+I9Q9UYAs7qu
	 qygy2bBMAPY2A==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id B0A5F68346
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:50 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id FYVbWgPLsi6u for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:50 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893750;
	bh=/vJEnEDop6tSXqNZLGPq0b6umWkABYxLbD7vuNfjTdQ=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=B6RhD3lnN27FEAL5jBKUFENwZxsx6Red85yftsaOm4D4KWJ6HUW1rZfzlJnKfvt8a
	 CxHFKnarBcEJKaRO/m/w1/BvLS5FjWy1N4zqrUMeGOIhynVLMKdwWi4ea2H+cpDXX4
	 mqIvm8qAxAsDKnDkaAyWsRiMkeyGDLMXcZ+4fcTdhk+2H5LbPYzvXjpzyMKjRhSXux
	 PmqMAWpHCKUqemCYS1+adeRfpHuqPNF98jpZQYIlPV06kg9+i+u6oVhadu/VB6UTi6
	 uIcmXpbngWT4mruvgmfPE7RvZUVUelHVe8uTRkUBRoWyRA8Z7ayTvi+I9Q9UYAs7qu
	 qygy2bBMAPY2A==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id A1273682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:50 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893748;
	bh=7Wpn76RktNmQ7Ckqn38skFkzO6xn+0dDLbmr2yo7/bU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=WeYCDW4P55inaLj5m7AZnKp6PTsr3rTF1Po6uaob8H/GkL25E9a7+bv59fqElujnM
	 ZxKqiFywPE8HZ22fWpwFF3vB3eSslV5dOd1UnF2GvLo4tBIw4vs5E9dfkacCw07WxT
	 5PuX+eR6srn1IRYHCS/cHPzE1u9SX84erAxJQequN22Sw24paFyXen7fr3cw6QpYu2
	 2kLFO3F5IFAOC/FI/9OAIpa9B1+/6RgR5ckMuiqkrdt2nj6o3aoqWbs50LnRXdNEOl
	 TM7tx4FpLWjeEok8XVj6qSl+/9TzD53szTXLyH/n+eXD+uyGCjxPlHvQivqNEQMU7S
	 scKH0uODydJZQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 6CE086827C;
	Fri, 31 Oct 2025 00:55:48 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id hmZF-xBBVs2P; Fri, 31 Oct 2025 00:55:48 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893744;
	bh=S37J44fJ7+fm09AxcHMi9sqiaCcti2N/Qhk2aKrM0Qw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Jk4HItWcGsJPIcuVBtVsKx5PWPquCZEzWcrlOgHi68zd1nl88VhzTtmPAmH9hRfED
	 UQbUf+Yhr6Pu2BT2zc6JzF9A7PjBiDOowD4lI2EpmpCevSAzTBl2DTbSAuE/evth0t
	 JDqVaFtth6ZgtfWRe//1aJEd6TmnDYbFkc3l5s/SKn1NluElRwLPogS791MFIPD8zg
	 jrSb8PBPyETw9tcrUPRnbUP4iRFVKqa36dk9JoVNfMG0KV/tEWBG/YrkVvJaVPMP03
	 5NY+fc6L6wLFwjS4IRPjlTQdF7q/8GHspGqHOLu1DhU4GV56/Rfh02/JQ66yuorYQH
	 qCrI3C+ygx36w==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 59066682CD;
	Fri, 31 Oct 2025 00:55:44 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:07 -0600
Message-ID: <20251031065439.3251464-12-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: UZUVPN76FYHNPJ57LGFFRW2BOFG2YVGQ
X-Message-ID-Hash: UZUVPN76FYHNPJ57LGFFRW2BOFG2YVGQ
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 11/24] test/py: Set up an Ubuntu image with space
 for FDE
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/UZUVPN76FYHNPJ57LGFFRW2BOFG2YVGQ/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Update one of the Ubuntu images to provide space for using full-disk
encryption.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 test/py/img/ubuntu.py    | 11 ++++++++---
 test/py/tests/test_ut.py |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/test/py/img/ubuntu.py b/test/py/img/ubuntu.py
index 1247ec134d5..c60da4a0c41 100644
--- a/test/py/img/ubuntu.py
+++ b/test/py/img/ubuntu.py
@@ -6,14 +6,19 @@
 from img.common import setup_extlinux_image
 
 
-def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS'):
-    """Create a 20MB Ubuntu disk image with a single FAT partition
+def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS',
+                       use_fde=False):
+    """Create a Ubuntu disk image with a FAT partition and ext4 partition
+
+    This creates a FAT partition containing extlinux files, kernel, etc. and a
+    separate ext4 partition containing the root disk
 
     Args:
         config (ArbitraryAttributeContainer): Configuration
         log (multiplexed_log.Logfile): Log to write to
         devnum (int): Device number to use, e.g. 1
         basename (str): Base name to use in the filename, e.g. 'mmc'
+        use_fde (bool): True to set up full-disk encryption
     """
     vmlinux = 'vmlinuz-6.8.0-53-generic'
     initrd = 'initrd.img-6.8.0-53-generic'
@@ -44,4 +49,4 @@ label l0r
 	initrd /boot/%s
 ''' % ((version, vmlinux, initrd) * 2)
     setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
-                         script)
+                         script, part2_size=60 if use_fde else 1)
diff --git a/test/py/tests/test_ut.py b/test/py/tests/test_ut.py
index b532bdced13..218f5a74ac1 100644
--- a/test/py/tests/test_ut.py
+++ b/test/py/tests/test_ut.py
@@ -83,7 +83,7 @@ def test_ut_dm_init_bootstd(u_boot_config, u_boot_log):
     setup_ubuntu_image(u_boot_config, u_boot_log, 3, 'flash', '25.04')
     setup_localboot_image(u_boot_config, u_boot_log)
     setup_vbe_image(u_boot_config, u_boot_log)
-    setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc')
+    setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=True)
 
 def test_ut(ubman, ut_subtest):
     """Execute a "ut" subtest.

From patchwork Fri Oct 31 06:54:08 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 662
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893754;
	bh=M/WVYqUeFBjqiCxOK1GBWkcP6JFE0IkbYluxZiIar1A=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=pZL9uyLFo5BfiyWZcUAXcAmvGygLn1Giam9eAHdPfRWmhun3zXKalCBhegRfFFLd8
	 846aXVgm1aP0vHmybO5T9OK2jzU/cxG8GbgKX1V6Rta4fplCGFu8Bz/u5GoRkp8cOp
	 SmAKwJLa7f5KfM1GAJpQKQCO3kEDWa7xFnbr5sFZnis85iDtrqySS6Avhg4AYKcqB6
	 y3sdQVIhsA/xa8zhdVC1y3EYNNfbe8m55S5NNhZBZezrc3kPhfbWiZ/y7ZWFEkRGLr
	 kNviltoNJyjzeZm+b/F4jztL+StSaqevcaYDJZwJR8tLnDK0PhjAdS/aiKkdnGe28b
	 gTR40vGUfWyhQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 6394668362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:54 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 44HRt4Jvq4nL for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:54 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893754;
	bh=M/WVYqUeFBjqiCxOK1GBWkcP6JFE0IkbYluxZiIar1A=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=pZL9uyLFo5BfiyWZcUAXcAmvGygLn1Giam9eAHdPfRWmhun3zXKalCBhegRfFFLd8
	 846aXVgm1aP0vHmybO5T9OK2jzU/cxG8GbgKX1V6Rta4fplCGFu8Bz/u5GoRkp8cOp
	 SmAKwJLa7f5KfM1GAJpQKQCO3kEDWa7xFnbr5sFZnis85iDtrqySS6Avhg4AYKcqB6
	 y3sdQVIhsA/xa8zhdVC1y3EYNNfbe8m55S5NNhZBZezrc3kPhfbWiZ/y7ZWFEkRGLr
	 kNviltoNJyjzeZm+b/F4jztL+StSaqevcaYDJZwJR8tLnDK0PhjAdS/aiKkdnGe28b
	 gTR40vGUfWyhQ==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 5201A68346
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:54 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893753;
	bh=LG+S4vS3tiFOcRg83jpWDhpM4Zcl6fG9svrTP/YDkPM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=ZZVTvIT5DqGSfFpD6nt5Uy7FRK4LmfHPyP6in8f9eEFZhqnXEDoj3lms9LTpJw6cm
	 YXi2L0Abbw8qgu2Kr8J8m/37TfxHKKWk31550hH7bJ0R7/+hrp7FhNRDGSDMdQBZ3p
	 Yx4lmmrnaGDonv2A0G8xd4h2Nj5xjlC+opzccfT5UKxbG6PrjbNmVi0t0/vjSC4J1D
	 fOCJJwk03zMWq2iyLryC8PeQIJRdWdbJHp/gNzUcn36rxTh6RFa4zWZlaVuuCBEMI6
	 YI5NSMCCGqeet9g08mCImZJ4OU1ISCCGrZ2jtwH53IQsJ3u25OrioWpKeHyeSVvMc7
	 h1xjJitW36WRw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 058066827C;
	Fri, 31 Oct 2025 00:55:53 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id BaY6E6hDasj1; Fri, 31 Oct 2025 00:55:52 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893749;
	bh=HwddbA32tsrbganAGNeDHjgta5u4B71qJ+5iYJBLg2g=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=YbK5QtsYnaxc5G7l1ZuJoib6z2yVKPEr7KtKYRuSGWxhiAkCsWZ0Fujwmj5DD2pLV
	 qCc3QRslA0p5FaOjBRbY0fBFKNd7ZVMiyL4OHNcyIF/YwRaUaLfAY4BWAoRQNQGQwe
	 MJx5gu+4433Om8PDhg0Y6OwsPiwducil+ix6W3KtjveedHE/sj+8HkkqCxuq0Rhy04
	 /1fqLRFikoOE2qDgoHsjxTgQFF/FZ1onVkOcjZ8kFCfDjY/DZlsF5ZPBnt8vRc4DLt
	 gBdWXJitrfA0cUiPAb7tTUlLOet+wqIUx6QP5EoB0188ovP8RrQqkKePvBEaKyQYkQ
	 PVE5NzM1F25Tg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id B3A6A682CD;
	Fri, 31 Oct 2025 00:55:48 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:08 -0600
Message-ID: <20251031065439.3251464-13-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: 34XW7VH6AELKSA67DGA7YBCDXB2ZIMPN
X-Message-ID-Hash: 34XW7VH6AELKSA67DGA7YBCDXB2ZIMPN
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 12/24] docker: Add cryptsetup package for LUKS
 testing
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/34XW7VH6AELKSA67DGA7YBCDXB2ZIMPN/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add cryptsetup to the CI Docker image to enable LUKS encryption tests.
This is needed to create test images.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 tools/docker/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
index ba98a293e4b..4665304fbfc 100644
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@@ -69,6 +69,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 	clang-18 \
 	coreutils \
 	cpio \
+	cryptsetup \
 	curl \
 	device-tree-compiler \
 	dosfstools \

From patchwork Fri Oct 31 06:54:09 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 663
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893759;
	bh=dy1mb+iIKyC9aDzJmDxdnDW705lbW7Wqi0mmtTXcyVA=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=ry9kRMkXQowXOo3mm8jf/wJpVY0ZrRrBXxgs57WNANIG4uIQuq15YHRkZyUg9N/q1
	 KK0/7kBLF3ErD1rfTFQeAqMI4XLWT6Vb8tyM9Rr5Ju3/xh5EULoAH+yktgJKP2o1MY
	 xT2acvzLHK6yp9sID25nJwMxqfEb6mDkJiPsiLYUmk96St1ehATcapKGKZKZkhxEzM
	 Yzm0nSHSWgZ4MDb5TbXo90F3ACmIp+vDUHEnE2AgacB35d+pT83jC/ZyK7gKfmfhqa
	 dZ0FQ7cZWd5ZCjkT6n9hZrN7D3cfunK6oDFHdLite0CVeLdjqmeqgd3SNdqAi2m7S2
	 Gq74JXjSQhZGg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id BF1A368362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:59 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id RAB2JM0_A6u3 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:59 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893759;
	bh=dy1mb+iIKyC9aDzJmDxdnDW705lbW7Wqi0mmtTXcyVA=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=ry9kRMkXQowXOo3mm8jf/wJpVY0ZrRrBXxgs57WNANIG4uIQuq15YHRkZyUg9N/q1
	 KK0/7kBLF3ErD1rfTFQeAqMI4XLWT6Vb8tyM9Rr5Ju3/xh5EULoAH+yktgJKP2o1MY
	 xT2acvzLHK6yp9sID25nJwMxqfEb6mDkJiPsiLYUmk96St1ehATcapKGKZKZkhxEzM
	 Yzm0nSHSWgZ4MDb5TbXo90F3ACmIp+vDUHEnE2AgacB35d+pT83jC/ZyK7gKfmfhqa
	 dZ0FQ7cZWd5ZCjkT6n9hZrN7D3cfunK6oDFHdLite0CVeLdjqmeqgd3SNdqAi2m7S2
	 Gq74JXjSQhZGg==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id A835168321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:59 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893757;
	bh=oAU1a2NLDmLKtS6zu7UfBFm2Zr7FDxmq/Cpf679M2VM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=fy1ZlGq9nYguAknibOoqTkaj3jsYrQesrPCboP8i2maQm8ouJ51mfDUSfWN5Bj6DO
	 ZV298huquc3XkNpD0pAGsLpds49jaI1ufv6E99KgG908vMbiuvozIJpsdSUCT5u19H
	 bV1eD9QT1QI0VWBqyvyjKkS9BaQHVc3zeFaXtZLVXNb0TWaJ0a8Hc9Y7otPTZ9v5gf
	 FZvFEtB22iaI+qRpkJh+3QMOsmsMMS1vfs5yD51OC4B7w2PJ687fivSYb8tcMPlKcl
	 rRDFWYCT/z8ojkFPjgZ5GQf8sfSx9tz66lB3uoBb0Cb74ayX5oo06VP6LqRmfQVm26
	 rYA7jpuD0Uoyw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id BE55D5FBA9;
	Fri, 31 Oct 2025 00:55:57 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id EfwxcBgtFd_E; Fri, 31 Oct 2025 00:55:57 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893753;
	bh=TfdZqChCGpg2H5S/jKPjALaNZENgMgqnbovLwt6GZC4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=LK5IKZztvF7gw1VvCpg/kox+xFPKlvvCjnkjs9h0pBXB6Q8IWsjFobddLIfy8GA7l
	 CiUA7u6mGZVO6sWA0p13HzrZ56V8bBGdT46dV90Wfpvo0z53MTZoUaPdrPu4dAUg9z
	 E118dQ0sPHmMlFAbxbM191uux4Ddoxj9b5LfNwPywZKCWtuoBB4BKrk0AG/sXZFjv9
	 vuIfmCaeDrhxtUqeZy8AU067ojYowloaAhBsyepBaGLxhDztuIT7RG5iOiZGMsb8f0
	 25qk3Bda6GacnuFc5TX65Rzb8+ecvmUVES5YgJdhqqzTb2gc4e84pRf+xdfY+KRKwJ
	 P0//N26Nwx6gg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 4765268321;
	Fri, 31 Oct 2025 00:55:53 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:09 -0600
Message-ID: <20251031065439.3251464-14-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: HHXRBEAQS6C4IOUTTQDCKS3Z5GQVCEU5
X-Message-ID-Hash: HHXRBEAQS6C4IOUTTQDCKS3Z5GQVCEU5
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 13/24] CI: Update Docker image to including luks
 tools
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/HHXRBEAQS6C4IOUTTQDCKS3Z5GQVCEU5/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Update the GitLab CI Docker image to use the new build with cryptsetup
support for LUKS testing.

This appears to require use of sudo, so add a comment about that.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 .gitlab-ci.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 534426f0538..68f2534918c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -20,7 +20,7 @@ default:
     - ${DEFAULT_TAG}
   # Grab our configured image.  The source for this is found
   # in the u-boot tree at tools/docker/Dockerfile
-  image: ${MIRROR_DOCKER}/sjg20/u-boot-gitlab-ci-runner:jammy-20250714-10Sep2025p2
+  image: ${MIRROR_DOCKER}/sjg20/u-boot-gitlab-ci-runner:jammy-20250404-24Oct2025p1
   services:
     - name: container-$(CI_JOB_ID)
       command: ["--rm"]
@@ -37,6 +37,10 @@ stages:
 .buildman_and_testpy_template: &buildman_and_testpy_dfn
   stage: test.py
   retry: 2 # QEMU may be too slow, etc.
+  # Note: These tests require device-mapper access for LUKS encryption tests.
+  # The GitLab runner must be configured with:
+  #   - privileged = true in /etc/gitlab-runner/config.toml
+  #   OR passwordless sudo for: modprobe, cryptsetup, dd
   rules:
     - if: $LAB_ONLY == "1"
       when: never

From patchwork Fri Oct 31 06:54:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 664
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893765;
	bh=xw7hoFgCHGu3FVduXhJhoj95RdV1yPbDSwzG/LNHdD8=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=JJ4xNlPKG3FWH2Sht8yDHOlQmN7o4LMdUXSjid3AKNUSk8xvsBFrwBFGWpmWsjzDQ
	 0t+LavBUbb4S8yS4Lb8Jt0sMlLyEkXQW+6ujnzcd12wgcE5ELlMAAOVseAn0JI0d1M
	 VrhJ3amc8pfEBK4raYSKP0cQE3PfrSoboU/Qx5NIui2Lps1C2gSUj9znWEEq6lN5AF
	 HFDN0ujhPY3DvN5DC8hOeAj+58KA3GzWsl/VyRH4cFP6Bq3d++Em1+czN1qbnBJtyf
	 jyMTT3UjrULmd2R7XCI49ua9P+QQjlTOO1b+nzWlL3HtrH+txk/qPJuJRbWyS5ddKM
	 Pb/asEUtFoenw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 24EDB68362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:05 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id VbLA19QMQ8Ex for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:05 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893765;
	bh=xw7hoFgCHGu3FVduXhJhoj95RdV1yPbDSwzG/LNHdD8=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=JJ4xNlPKG3FWH2Sht8yDHOlQmN7o4LMdUXSjid3AKNUSk8xvsBFrwBFGWpmWsjzDQ
	 0t+LavBUbb4S8yS4Lb8Jt0sMlLyEkXQW+6ujnzcd12wgcE5ELlMAAOVseAn0JI0d1M
	 VrhJ3amc8pfEBK4raYSKP0cQE3PfrSoboU/Qx5NIui2Lps1C2gSUj9znWEEq6lN5AF
	 HFDN0ujhPY3DvN5DC8hOeAj+58KA3GzWsl/VyRH4cFP6Bq3d++Em1+czN1qbnBJtyf
	 jyMTT3UjrULmd2R7XCI49ua9P+QQjlTOO1b+nzWlL3HtrH+txk/qPJuJRbWyS5ddKM
	 Pb/asEUtFoenw==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 13D7E68321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:05 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893762;
	bh=dmeuneN5tEI4bjU7cqAnzU2VoQMvZEx8kTnGTLfGns8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=krwpfVrQpUGm5IX84kFHMC4S7hXCNNzgWsy8xcBcDP0/vuEv6MLpz+AtN01XeT2m3
	 urllQXvEvUkewrzF0QwccWiWZ/Vailq+UM6CQrmC4jz6hAAdlnOV9yRN6LYT9/NWG2
	 /0ng6M+H/iQD6HD3a6IfhMlaSIZtkDGUc0nGL6+3i/CXSkGSo7zZInQBUvcwAC/38T
	 fjn6z5pwNqNNwzMHun3+XIF5aiLyG+EhLWFysK+N728JJJuIoBJJK276JALGjKzybY
	 SOwsiAffu+h3wjnd8e8X1f3cHMxDEQ7EJuBfXY+fCG+39k+SlSdv/gVhjkSFz3njk7
	 fnP9x/TqRF10g==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 802CD5FBA9;
	Fri, 31 Oct 2025 00:56:02 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id hUwr51h8RvH0; Fri, 31 Oct 2025 00:56:02 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893758;
	bh=wr2fcKvmvtdwW4lq7DKXr1GGHhQHhpvJ1D3FsKuXW94=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=hG4HRX2fVWM+KUelwaxn3pijLi6A+sEvgLFVO/LAjb26yn0VnQX9Ms38C2pkWaCZz
	 Smh+Vszh0EznfOUGFxy3WEEPfvJ3MDayZJDVMvxXBwE62EhPJBCy2Id0OflKsqGvic
	 88reCW8ijLvBffrYQTBPi5iQpbkvi36P2Ue20gs1fwmrlOpd+6+GU7RkXOULyKY3cc
	 oyxmo8l+braFiCCvkEBRoniEbLd5K/3SlbR5DBtVvfE68xPe0uVK2VQS7ISMw6P+OT
	 kg28oPPSbyNxaRb3v4I+nawg4299rBVNgBw9BHtWFMpaQa+I62z9Ww7z6hpsuGZWQ2
	 A+uTLokt8Fg9Q==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 0B3EB682E9;
	Fri, 31 Oct 2025 00:55:57 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:10 -0600
Message-ID: <20251031065439.3251464-15-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: H2NG3XJACOBGPKUO2FVC7NXT6KAJXW5X
X-Message-ID-Hash: H2NG3XJACOBGPKUO2FVC7NXT6KAJXW5X
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 14/24] luks: Add a way to create an encrypted
 partition
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/H2NG3XJACOBGPKUO2FVC7NXT6KAJXW5X/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

If requested, use cryptsetup to encrypt a partition with the provided
passphrase.

This requires use of sudo since there doesn't seem to be any other way
to write files into a filesystem on an encrypted disk.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 test/py/tests/fs_helper.py | 109 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 107 insertions(+), 2 deletions(-)

diff --git a/test/py/tests/fs_helper.py b/test/py/tests/fs_helper.py
index e4ac946064f..49747be1788 100644
--- a/test/py/tests/fs_helper.py
+++ b/test/py/tests/fs_helper.py
@@ -8,7 +8,7 @@
 import re
 import os
 import shutil
-from subprocess import call, check_call, check_output, CalledProcessError
+from subprocess import call, check_call, check_output, CalledProcessError, run
 from subprocess import DEVNULL
 import tempfile
 
@@ -38,11 +38,20 @@ class FsHelper:
                 fsh.mk_fs()
                 ...
 
+        To create an encrypted LUKS1 partition:
+
+            with FsHelper(ubman.config, 'ext4', 10, 'mmc1',
+                          encrypt_passphrase='test') as fsh:
+                # create files in the fsh.srcdir directory
+                fsh.mk_fs()  # Creates and encrypts the filesystem
+                ...
+
     Properties:
         fs_img (str): Filename for the filesystem image; this is set to a
             default value but can be overwritten
     """
-    def __init__(self, config, fs_type, size_mb, prefix, part_mb=None):
+    def __init__(self, config, fs_type, size_mb, prefix, part_mb=None,
+                 encrypt_passphrase=None):
         """Set up a new object
 
         Args:
@@ -54,6 +63,8 @@ class FsHelper:
             part_mb (int, optional): Size of partition in MB. If None, defaults
                 to size_mb. This can be used to make the partition larger than
                 the filesystem, to create space for disk-encryption metadata
+            encrypt_passphrase (str, optional): If provided, encrypt the
+                filesystem with LUKS1 using this passphrase
         """
         if ('fat' not in fs_type and 'ext' not in fs_type and
              fs_type not in ['exfat', 'fs_generic']):
@@ -65,6 +76,7 @@ class FsHelper:
         self.partition_mb = part_mb if part_mb is not None else size_mb
         self.prefix = prefix
         self.quiet = True
+        self.encrypt_passphrase = encrypt_passphrase
 
         # Use a default filename; the caller can adjust it
         leaf = f'{prefix}.{fs_type}.img'
@@ -136,6 +148,10 @@ class FsHelper:
             check_call(f'mcopy -i {fs_img} {flags} {self.srcdir}/* ::/',
                     shell=True)
 
+        # Encrypt the filesystem if requested
+        if self.encrypt_passphrase:
+            self.encrypt_luks(self.encrypt_passphrase)
+
     def setup(self):
         """Set up the srcdir ready to receive files"""
         if not self.srcdir:
@@ -149,6 +165,95 @@ class FsHelper:
                 self.tmpdir = tempfile.TemporaryDirectory('fs_helper')
                 self.srcdir = self.tmpdir.name
 
+    def encrypt_luks(self, passphrase):
+        """Encrypt the filesystem image with LUKS1
+
+        This replaces the filesystem image with a LUKS1-encrypted version.
+        LUKS1 is used because U-Boot's unlock implementation currently only
+        supports LUKS version 1.
+
+        Args:
+            passphrase (str): Passphrase for the LUKS container
+
+        Returns:
+            str: Path to the encrypted image
+
+        Raises:
+            CalledProcessError: If cryptsetup is not available or fails
+        """
+        # LUKS1 encryption parameters
+        cipher = 'aes-cbc-essiv:sha256'
+        key_size = 256
+        hash_alg = 'sha256'
+
+        # Save the original filesystem image
+        orig_fs_img = f'{self.fs_img}.orig'
+        os.rename(self.fs_img, orig_fs_img)
+
+        # Create a new image file for the LUKS container
+        luks_img = self.fs_img
+        luks_size_mb = self.partition_mb
+        check_call(f'dd if=/dev/zero of={luks_img} bs=1M count={luks_size_mb}',
+                   shell=True, stdout=DEVNULL if self.quiet else None)
+
+        # Ensure device-mapper kernel module is loaded
+        if not os.path.exists('/sys/class/misc/device-mapper'):
+            # Try to load the dm_mod kernel module
+            result = run(['sudo', 'modprobe', 'dm_mod'],
+                        stdout=DEVNULL, stderr=DEVNULL, check=False)
+            if result.returncode != 0:
+                raise RuntimeError(
+                    'Device-mapper is not available. Please ensure the dm_mod '
+                    'kernel module is loaded and you have permission to use '
+                    'device-mapper. This is required for LUKS encryption tests.')
+
+        device_name = f'luks_test_{os.getpid()}'
+
+        # Clean up any stale device with the same name
+        run(['sudo', 'cryptsetup', 'close', device_name],
+            stdout=DEVNULL, stderr=DEVNULL, check=False)
+
+        try:
+            # Format as LUKS1
+            run(['cryptsetup', 'luksFormat',
+                 '--type', 'luks1',
+                 '--cipher', cipher,
+                 '--key-size', str(key_size),
+                 '--hash', hash_alg,
+                 '--iter-time', '10',  # Very fast for testing (low security)
+                 luks_img],
+                input=f'{passphrase}\n'.encode(),
+                stdout=DEVNULL if self.quiet else None,
+                stderr=DEVNULL if self.quiet else None,
+                check=True)
+
+            # Open the LUKS device (requires sudo)
+            # Use --key-file=- to read passphrase from stdin
+            result = run(['sudo', 'cryptsetup', 'open', '--key-file=-',
+                          luks_img, device_name], input=passphrase.encode(),
+                          stdout=DEVNULL if self.quiet else None, stderr=None,
+                          check=True)
+            # Copy the filesystem data into the LUKS container
+            check_call(f'sudo dd if={orig_fs_img} of=/dev/mapper/{device_name} bs=1M',
+                        shell=True, stdout=DEVNULL if self.quiet else None)
+
+            # Remove the original filesystem image
+            os.remove(orig_fs_img)
+
+        except Exception:
+            # Clean up on error
+            if os.path.exists(luks_img):
+                os.remove(luks_img)
+            if os.path.exists(orig_fs_img):
+                os.rename(orig_fs_img, self.fs_img)
+            raise
+        finally:
+            # Always close the device if it's still open
+            run(['sudo', 'cryptsetup', 'close', device_name],
+                stdout=DEVNULL, stderr=DEVNULL, check=False)
+
+        return self.fs_img
+
     def cleanup(self):
         """Remove created image"""
         if self.tmpdir:

From patchwork Fri Oct 31 06:54:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 665
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893769;
	bh=Ic30Ez9gLoUs7rhYUhKwlYvhONpjYGSxXh5TGehfqNg=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=DRXQN34hx9T5Wsj3LvMfGA9Dvbr8JHshT3Xwe62Wb9FDsvDFdgAiCHLZMBFefY383
	 IycmEifz+9GURhqs/HMwLmBnQeLp3KaxIbNoIrsLWDmm0bq/oEGLJCDLGqX6mPWZbD
	 vHG2YpvyPRFH7l1+J4KAT5+kQziVCu509cFu5qCTmuq3J0w1ML6znMmMkZ04gwXhfG
	 F94lXsCwzp1s96kAh48PQWQ/EaSXV5DeIjm+eHOTT/XnWIo1oWXa9lo0/d/9uRjpeC
	 pNY4Key+ShHKq6Y/nByMx3FiLo2B3XqjV8wW3Akh8+jKDtwvu6AMNVbolkZb3yJZhy
	 5jII2IYzKT4Qg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 8EFBA68362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:09 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id 1wPOrNuItof2 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:09 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893769;
	bh=Ic30Ez9gLoUs7rhYUhKwlYvhONpjYGSxXh5TGehfqNg=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=DRXQN34hx9T5Wsj3LvMfGA9Dvbr8JHshT3Xwe62Wb9FDsvDFdgAiCHLZMBFefY383
	 IycmEifz+9GURhqs/HMwLmBnQeLp3KaxIbNoIrsLWDmm0bq/oEGLJCDLGqX6mPWZbD
	 vHG2YpvyPRFH7l1+J4KAT5+kQziVCu509cFu5qCTmuq3J0w1ML6znMmMkZ04gwXhfG
	 F94lXsCwzp1s96kAh48PQWQ/EaSXV5DeIjm+eHOTT/XnWIo1oWXa9lo0/d/9uRjpeC
	 pNY4Key+ShHKq6Y/nByMx3FiLo2B3XqjV8wW3Akh8+jKDtwvu6AMNVbolkZb3yJZhy
	 5jII2IYzKT4Qg==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 7E39D68316
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:09 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893767;
	bh=MRNzEXGwlwyp2o+U2J168nGNLTuEfguPlULkwy8Epv0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=opAcE8istNUwKY8o1SHv7XWBxZqrokritH1l6rmHr+k57V+NsuGeGqeMW3wqoCIbO
	 E898lqx5cBTvmsYJFVmXNtyFHaL+h6YowCYgzxFTMWLZ38OZXM+wjt8M6d8PrpgSBf
	 +uL3OW5+LB+ERDQrzWobcsQh6/Koo1CcxSKo0HOTzdp0J30KQ56whyFVlZiu8HzOhc
	 4VaKScog2w2k/E5TzhrsNHeDU31TCWaHk550bTh0ZwDlY9ZVuXmk9mgk78V76a+6EA
	 5SbBkBmBfEuTFkZf6pBez0GxAGWTeYlLq8qxFEE6bgDgNdzFLy1hPr1WGWDsHhzcJu
	 H/0dzaJSYoLYw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 7566268321;
	Fri, 31 Oct 2025 00:56:07 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id th_xFdwEYFMA; Fri, 31 Oct 2025 00:56:07 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893763;
	bh=GjQV1INhU8/W72Y9udZ7UfVLIuo4MACXLeIvvUGiYQQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=t1+oD+3SchNHUncCPM3Xs0yp3sdAMawOo5BjQ167RWnt9rF4UdRWKXx3B9hEoQJ0y
	 ASu/a3r8ZDloY6m0nA2Q7lZdyIDEwgpveXdoJzud8zb7reTF2uSwiC0qyRrG77i0hx
	 1hYfp1llYDYP0ewPKzoi8tj1971Mg80eDOk7i4dVvhdxVt9FYx4xa1SiWAcE/Km9lY
	 i9F3Jh6R4op6AeqoSbQnKQTypj3b1Q35WNFjD2AMaoJ+dbko2gi+mr8cPB5xW3fv5q
	 9YCPXJN772dZw4SxF9IiRCwRWFMp5kDu2VKTLLKijH4COJDWb5fKPijERx6KcxHjKI
	 owNnaNAl0Up1g==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id C0225682E9;
	Fri, 31 Oct 2025 00:56:02 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:11 -0600
Message-ID: <20251031065439.3251464-16-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: DWCATFOGQZ5Q2K53ZONVEMLUQ3ZWBCIB
X-Message-ID-Hash: DWCATFOGQZ5Q2K53ZONVEMLUQ3ZWBCIB
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 15/24] luks: Encrypt the mmc11 test image
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/DWCATFOGQZ5Q2K53ZONVEMLUQ3ZWBCIB/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Encrypt the ext4 partition in this image so that we can use it for
tests.

Signed-off-by: Simon Glass <sjg@chromium.org>
---

 test/py/img/common.py | 6 ++++--
 test/py/img/ubuntu.py | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/test/py/img/common.py b/test/py/img/common.py
index a08744fbb76..01745ce73b3 100644
--- a/test/py/img/common.py
+++ b/test/py/img/common.py
@@ -33,7 +33,7 @@ def copy_partition(ubman, fsfile, outname):
 
 
 def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
-                         script, part2_size=1):
+                         script, part2_size=1, use_fde=False):
     """Create a 20MB disk image with a single FAT partition
 
     Args:
@@ -46,6 +46,7 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
         dtbdir (str or None): Devicetree filename
         script (str): Script to place in the extlinux.conf file
         part2_size (int): Size of second partition in MB (default: 1)
+        use_fde (bool): True to encrypt the ext4 partition with LUKS1
     """
     fsh = FsHelper(config, 'vfat', 18, prefix=basename)
     fsh.setup()
@@ -80,7 +81,8 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
     img.add_fs(fsh, DiskHelper.VFAT, bootable=True)
 
     ext4 = FsHelper(config, 'ext4', max(1, part2_size - 30), prefix=basename,
-                    part_mb=part2_size)
+                    part_mb=part2_size,
+                    encrypt_passphrase='test' if use_fde else None)
     ext4.setup()
 
     bindir = os.path.join(ext4.srcdir, 'bin')
diff --git a/test/py/img/ubuntu.py b/test/py/img/ubuntu.py
index c60da4a0c41..58ee9f20277 100644
--- a/test/py/img/ubuntu.py
+++ b/test/py/img/ubuntu.py
@@ -49,4 +49,5 @@ label l0r
 	initrd /boot/%s
 ''' % ((version, vmlinux, initrd) * 2)
     setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
-                         script, part2_size=60 if use_fde else 1)
+                         script, part2_size=60 if use_fde else 1,
+                         use_fde=use_fde)

From patchwork Fri Oct 31 06:54:12 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 666
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893773;
	bh=gW3bv6xV1PUvQ7wh4me9spYT/gg3Ynt/TVBdfs0SKps=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=tDgMpfd+qKpJAmnAv+pHUQYoWUaKAxHW43+2gMXBzO9kanL7ICvnIOuAFzF4pZbPE
	 ORUP8ZRdIXJsGEmxlcXzBa1yRU5hpPOCvwdYSXLM1DxlBhEF5xLSXQShM4ibmFDkBY
	 hO4SzsPuOoZFvruZ+a+UYF8A6SnjeOUSFGNt2WeBnxD4BOsbN3B8OSaUm4FwjK83q/
	 VWmQYGSv9i4bAp4GgX8fthB0jA8Ig8228XhRO9skKIQEwWGjGzisL5NvWiB6Fkw7XC
	 3jZO7938QsXVV+uR4H2IB4QcE1Pxb2U/8/MC6JCHe35LOR2E/tGeXv2aJ6DIgwZVGt
	 5WPVEg4+f+diQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id ECAA068346
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:13 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id hPdB4sPiQ7lq for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:13 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893773;
	bh=gW3bv6xV1PUvQ7wh4me9spYT/gg3Ynt/TVBdfs0SKps=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=tDgMpfd+qKpJAmnAv+pHUQYoWUaKAxHW43+2gMXBzO9kanL7ICvnIOuAFzF4pZbPE
	 ORUP8ZRdIXJsGEmxlcXzBa1yRU5hpPOCvwdYSXLM1DxlBhEF5xLSXQShM4ibmFDkBY
	 hO4SzsPuOoZFvruZ+a+UYF8A6SnjeOUSFGNt2WeBnxD4BOsbN3B8OSaUm4FwjK83q/
	 VWmQYGSv9i4bAp4GgX8fthB0jA8Ig8228XhRO9skKIQEwWGjGzisL5NvWiB6Fkw7XC
	 3jZO7938QsXVV+uR4H2IB4QcE1Pxb2U/8/MC6JCHe35LOR2E/tGeXv2aJ6DIgwZVGt
	 5WPVEg4+f+diQ==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DC45B682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:13 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893771;
	bh=AI0GrIMqLs85enUW+qgKbp1rU5oSBugsv30DZcJ8/o8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=etcbZzuv7yOMs960+ILatrZmoXAMFwZIMB/eFqZxmOrZvvi4U4r0W7YItnhg6rjnB
	 4sqPLvOcIneU8kG9TvE3YsigG+XB7DFKxRj+xXWxpKuUugIhGa0t9LwHigYn/MVkbU
	 r2VDiIYIL5eI3oQS6ZIAgkkfoZxfQ507PPoTUbGSHp67mk0CtWom/O07imIfRgQwde
	 GN9pHzmzCqb2usLGr7lrW5310TM52i8wabAg6xrQ3THDvlw69L7bOmOp59Up6cDMz6
	 9XTRPq/EJGBpzrDju5t/SDZPb30/lUJCOTy2ZrQs8zuxzLYfo7xyFHz/OtdVJo+Dsw
	 PgOcHjHIE7scg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id E0C18682CD;
	Fri, 31 Oct 2025 00:56:11 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id H_ZIAgHhl4YG; Fri, 31 Oct 2025 00:56:11 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893767;
	bh=n1AYld88K4LfTsT2SsS4cU/52rgureCPilG38kOonfw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=CgZ6PxpE6FndWP5NVVPl5wye4g8kNGgimoXAc3gZwsCr4vUkLNB0lPTez1uYsqLyq
	 9ZTHwmQ90g+ClDpUUVWKkkq8Y7ODKEqV3HruVTLdw2Guah6Q1k4MhetxtIYl86NW8H
	 NF+DbawjX0V8xgLjdSqaCkJd5Z5VFqv9ivXn0PDdtRiSAySTiAsQ71DmLeVCV1mOg+
	 ROD4AnJVhfg/YOZlRqjcTMiW3WFBnszu1VoGi/4ReD6nBQJBfHD4hnvSHCX64ySMSN
	 hy/tg8t8GNcbe0GjQR8IF1f2voSthcS+MVPJFrCC2S2mHqPoZhmo/Tp3RfKpkgmFy+
	 CYrm+Np+vLtlA==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 667065FBA9;
	Fri, 31 Oct 2025 00:56:07 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:12 -0600
Message-ID: <20251031065439.3251464-17-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: NJDBI4A56IFMEMVFZ6IHMNMGPGM4F5FL
X-Message-ID-Hash: NJDBI4A56IFMEMVFZ6IHMNMGPGM4F5FL
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 16/24] luks: Add the beginning of LUKS support
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/NJDBI4A56IFMEMVFZ6IHMNMGPGM4F5FL/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Linux Unified Key Setup (LUKS) provides a way to encryption a disk
partition with a a key an later unlock it. There are two versions (1 and
2).

Add a definition of the main structures and the ability to detect a LUKS
partition.

Enable this for the sandbox board.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 MAINTAINERS               |   8 +++
 configs/sandbox_defconfig |   1 +
 drivers/block/Kconfig     |  21 ++++++
 drivers/block/Makefile    |   1 +
 drivers/block/luks.c      |  63 +++++++++++++++++
 include/luks.h            | 140 ++++++++++++++++++++++++++++++++++++++
 test/boot/Makefile        |   1 +
 test/boot/luks.c          |  67 ++++++++++++++++++
 8 files changed, 302 insertions(+)
 create mode 100644 drivers/block/luks.c
 create mode 100644 include/luks.h
 create mode 100644 test/boot/luks.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 2a2a42aec5e..08d3806b6c7 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1289,6 +1289,14 @@ F:	lib/getopt.c
 F:	test/log/
 F:	test/py/tests/test_log.py
 
+LUKS
+M:	Simon Glass <sjg@chromium.org>
+S:	Maintained
+T:	git https://concept.u-boot.org/u-boot/u-boot.git
+F:	drivers/block/luks.c
+F:	include/luks.h
+F:	test/boot/luks.c
+
 MALI DISPLAY PROCESSORS
 M:	Liviu Dudau <liviu.dudau@foss.arm.com>
 S:	Supported
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 601afde421d..6a4b3e4363a 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -362,6 +362,7 @@ CONFIG_ADDR_MAP=y
 CONFIG_PANIC_POWEROFF=y
 CONFIG_CMD_DHRYSTONE=y
 CONFIG_MBEDTLS_LIB=y
+CONFIG_BLK_LUKS=y
 CONFIG_ECDSA=y
 CONFIG_ECDSA_VERIFY=y
 CONFIG_TPM=y
diff --git a/drivers/block/Kconfig b/drivers/block/Kconfig
index adf13f2a243..b07012ec7c9 100644
--- a/drivers/block/Kconfig
+++ b/drivers/block/Kconfig
@@ -269,3 +269,24 @@ config RKMTD
 	  Enable "rkmtd" class and driver to create a virtual block device
 	  to transfer Rockchip boot block data to and from NAND with block
 	  orientate tools like "ums" and "rockusb".
+
+config BLK_LUKS
+	bool "Enable LUKS detection and decryption support"
+	depends on BLK && MBEDTLS_LIB
+	select BLKMAP
+	select AES
+	select SHA256
+	select PBKDF2
+	select PKCS5_MBEDTLS if MBEDTLS_LIB_CRYPTO
+	help
+	  This provides support for detecting and decrypting LUKS (Linux Unified
+	  Key Setup) encrypted partitions. LUKS is a disk encryption specification
+	  used for full disk encryption on Linux systems.
+
+	  This option enables detection of both LUKS1 and LUKS2 encrypted
+	  partitions by checking for the LUKS magic bytes and version
+	  information in the partition header.
+
+	  LUKS1 decryption is supported using PBKDF2 key derivation and AES-CBC.
+	  Decrypted partitions can be accessed transparently through the blkmap
+	  device layer.
diff --git a/drivers/block/Makefile b/drivers/block/Makefile
index f5a9d8637a3..b428a5cfb78 100644
--- a/drivers/block/Makefile
+++ b/drivers/block/Makefile
@@ -11,6 +11,7 @@ endif
 
 ifndef CONFIG_XPL_BUILD
 obj-$(CONFIG_IDE) += ide.o
+obj-$(CONFIG_BLK_LUKS) += luks.o
 obj-$(CONFIG_RKMTD) += rkmtd.o
 endif
 obj-$(CONFIG_SANDBOX) += sandbox.o host-uclass.o host_dev.o
diff --git a/drivers/block/luks.c b/drivers/block/luks.c
new file mode 100644
index 00000000000..189226cb0ab
--- /dev/null
+++ b/drivers/block/luks.c
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * LUKS (Linux Unified Key Setup) filesystem support
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ */
+
+#include <blk.h>
+#include <dm.h>
+#include <hexdump.h>
+#include <log.h>
+#include <luks.h>
+#include <memalign.h>
+#include <part.h>
+#include <uboot_aes.h>
+#include <linux/byteorder/generic.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/string.h>
+#include <mbedtls/md.h>
+#include <mbedtls/pkcs5.h>
+
+int luks_get_version(struct udevice *blk, struct disk_partition *pinfo)
+{
+	struct blk_desc *desc;
+	int version;
+
+	desc = dev_get_uclass_plat(blk);
+
+	ALLOC_CACHE_ALIGN_BUFFER(unsigned char, buffer, desc->blksz);
+
+	/* Read first block of the partition */
+	if (blk_dread(desc, pinfo->start, 1, buffer) != 1) {
+		log_debug("Error: failed to read LUKS header\n");
+		return -EIO;
+	}
+
+	/* Check for LUKS magic bytes */
+	if (memcmp(buffer, LUKS_MAGIC, LUKS_MAGIC_LEN))
+		return -ENOENT;
+
+	/* Read version field (16-bit big-endian at offset 6) */
+	version = be16_to_cpu(*(__be16 *)(buffer + LUKS_MAGIC_LEN));
+
+	/* Validate version */
+	if (version != LUKS_VERSION_1 && version != LUKS_VERSION_2) {
+		log_debug("Warning: unknown LUKS version %d\n", version);
+		return -EPROTONOSUPPORT;
+	}
+
+	return version;
+}
+
+int luks_detect(struct udevice *blk, struct disk_partition *pinfo)
+{
+	int version;
+
+	version = luks_get_version(blk, pinfo);
+	if (IS_ERR_VALUE(version))
+		return version;
+
+	return 0;
+}
diff --git a/include/luks.h b/include/luks.h
new file mode 100644
index 00000000000..ea6dd510c53
--- /dev/null
+++ b/include/luks.h
@@ -0,0 +1,140 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * LUKS (Linux Unified Key Setup) filesystem support
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ */
+
+#ifndef __LUKS_H__
+#define __LUKS_H__
+
+#include <linux/types.h>
+
+struct udevice;
+struct disk_partition;
+
+/* LUKS magic bytes: "LUKS" followed by 0xba 0xbe */
+#define LUKS_MAGIC		"LUKS\xba\xbe"
+#define LUKS_MAGIC_LEN		6
+
+/* LUKS versions */
+#define LUKS_VERSION_1		1
+#define LUKS_VERSION_2		2
+
+/* LUKS constants */
+#define LUKS_DIGESTSIZE		20
+#define LUKS_SALTSIZE		32
+#define LUKS_NUMKEYS		8
+#define LUKS_KEY_DISABLED	0x0000dead
+#define LUKS_KEY_ENABLED	0x00ac71f3
+#define LUKS_STRIPES		4000
+
+/**
+ * struct luks1_keyslot - LUKS1 key slot
+ *
+ * @active:		Key slot state (LUKS_KEY_ENABLED/DISABLED)
+ * @iterations:		PBKDF2 iteration count
+ * @salt:		Salt for PBKDF2
+ * @key_material_offset: Start sector of key material
+ * @stripes:		Number of anti-forensic stripes
+ */
+struct luks1_keyslot {
+	__be32		active;
+	__be32		iterations;
+	char		salt[LUKS_SALTSIZE];
+	__be32		key_material_offset;
+	__be32		stripes;
+} __packed;
+
+/**
+ * struct luks1_phdr - LUKS1 header structure
+ *
+ * @magic:		LUKS magic bytes
+ * @version:		LUKS version
+ * @cipher_name:	Cipher name
+ * @cipher_mode:	Cipher mode
+ * @hash_spec:		Hash specification
+ * @payload_offset:	Payload offset in sectors
+ * @key_bytes:		Key length in bytes
+ * @mk_digest:		Master key digest
+ * @mk_digest_salt:	Salt for master key digest
+ * @mk_digest_iter:	Iterations for master key digest
+ * @uuid:		Partition UUID
+ * @key_slot:		Key slots (8 total)
+ */
+struct luks1_phdr {
+	char		magic[LUKS_MAGIC_LEN];
+	__be16		version;
+	char		cipher_name[32];
+	char		cipher_mode[32];
+	char		hash_spec[32];
+	__be32		payload_offset;
+	__be32		key_bytes;
+	char		mk_digest[LUKS_DIGESTSIZE];
+	char		mk_digest_salt[LUKS_SALTSIZE];
+	__be32		mk_digest_iter;
+	char		uuid[40];
+	struct luks1_keyslot key_slot[LUKS_NUMKEYS];
+} __packed;
+
+/**
+ * struct luks2_hdr - LUKS2 binary header
+ *
+ * @magic:	LUKS magic bytes
+ * @version:	LUKS version
+ * @hdr_size:	Header size (includes binary header + JSON area)
+ * @seqid:	Sequence ID
+ * @label:	Label string
+ * @csum_alg:	Checksum algorithm
+ * @salt:	Salt for header checksum
+ * @uuid:	Partition UUID
+ * @subsystem:	Subsystem identifier
+ * @hdr_offset:	Offset of this header
+ * @_padding:	Reserved padding
+ * @csum:	Header checksum
+ * @_padding4096: Padding to 4096 bytes
+ */
+struct luks2_hdr {
+	char		magic[LUKS_MAGIC_LEN];
+	__be16		version;
+	__be64		hdr_size;
+	__be64		seqid;
+	char		label[48];
+	char		csum_alg[32];
+	u8		salt[64];
+	char		uuid[40];
+	char		subsystem[48];
+	__be64		hdr_offset;
+	u8		_padding[184];
+	u8		csum[64];
+	u8		_padding4096[3584];
+} __packed;
+
+/**
+ * luks_detect() - Detect if a partition is LUKS encrypted
+ *
+ * @blk:	Block device
+ * @pinfo:	Partition information
+ * Return:	0 if LUKS partition detected, -ve on error
+ */
+int luks_detect(struct udevice *blk, struct disk_partition *pinfo);
+
+/**
+ * luks_get_version() - Get LUKS version of a partition
+ *
+ * @blk:	Block device
+ * @pinfo:	Partition information
+ * Return:	LUKS version (1 or 2) if detected, -ve on error
+ */
+int luks_get_version(struct udevice *blk, struct disk_partition *pinfo);
+
+/**
+ * luks_show_info() - Display LUKS header information
+ *
+ * @blk:	Block device
+ * @pinfo:	Partition information
+ * Return:	0 on success, -ve on error
+ */
+int luks_show_info(struct udevice *blk, struct disk_partition *pinfo);
+
+#endif /* __LUKS_H__ */
diff --git a/test/boot/Makefile b/test/boot/Makefile
index 7c492ba92af..71c482f8d24 100644
--- a/test/boot/Makefile
+++ b/test/boot/Makefile
@@ -5,6 +5,7 @@
 ifdef CONFIG_UT_BOOTSTD
 obj-$(CONFIG_BOOTSTD) += bootdev.o bootstd_common.o bootflow.o bootmeth.o
 obj-$(CONFIG_FIT) += image.o
+obj-$(CONFIG_BLK_LUKS) += luks.o
 
 obj-$(CONFIG_EXPO) += expo.o expo_common.o
 obj-$(CONFIG_CEDIT) += cedit.o expo_common.o
diff --git a/test/boot/luks.c b/test/boot/luks.c
new file mode 100644
index 00000000000..684fd643c3a
--- /dev/null
+++ b/test/boot/luks.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Test for LUKS detection
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ */
+
+#include <blk.h>
+#include <dm.h>
+#include <luks.h>
+#include <mmc.h>
+#include <part.h>
+#include <asm/global_data.h>
+#include <dm/device-internal.h>
+#include <dm/lists.h>
+#include <dm/test.h>
+#include <test/test.h>
+#include <test/ut.h>
+#include "bootstd_common.h"
+
+DECLARE_GLOBAL_DATA_PTR;
+
+/* Common function to setup mmc11 device */
+static int setup_mmc11(struct unit_test_state *uts, struct udevice **mmcp)
+{
+	ofnode root, node;
+
+	/* Enable the mmc11 node */
+	root = oftree_root(oftree_default());
+	node = ofnode_find_subnode(root, "mmc11");
+	ut_assert(ofnode_valid(node));
+	ut_assertok(lists_bind_fdt(gd->dm_root, node, mmcp, NULL, false));
+
+	/* Probe the device */
+	ut_assertok(device_probe(*mmcp));
+
+	return 0;
+}
+
+/* Test LUKS detection on mmc11 partitions */
+static int bootstd_test_luks_detect(struct unit_test_state *uts)
+{
+	struct disk_partition info;
+	struct blk_desc *desc;
+	struct udevice *mmc;
+	int ret;
+
+	ut_assertok(setup_mmc11(uts, &mmc));
+	desc = blk_get_by_device(mmc);
+	ut_assertnonnull(desc);
+	ut_assertnonnull(desc->bdev);
+
+	/* Check partition 1 - should NOT be LUKS */
+	ut_assertok(part_get_info(desc, 1, &info));
+	ret = luks_detect(desc->bdev, &info);
+	ut_assert(ret < 0);  /* Should fail - not LUKS */
+
+	/* Check partition 2 - should BE LUKS */
+	ut_assertok(part_get_info(desc, 2, &info));
+	ut_assertok(luks_detect(desc->bdev, &info));
+
+	/* Verify it's LUKS version 1 */
+	ut_asserteq(1, luks_get_version(desc->bdev, &info));
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks_detect, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);

From patchwork Fri Oct 31 06:54:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 667
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893779;
	bh=RnwmytGi0MFXtNQpmxkO6grjCJD82l6tbpaTWxS5tVg=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=SCOlvGBNqk9rArFv8ZBdfyKS10CA3AdoYlHNm3vb2610a7ZexmqmWV+xwx3F+rbrO
	 MphXkxOjwDVYa4FN17L/vU0JOY33QpfDc4kdlbQf7cT9QJSBQqs9QPGG/ynDVIU7vP
	 TPykhN4lvnWVXwT6XhOgtiBWaEsGwNWiS7xx7GAYFcgzdIQvQhsJPH9luNmtthIFao
	 SIZJTn1Bj+l/wrizyUvb06a6bSYpf8Q3uwF4wpBrlqv0XBLWaIB9LDMarw3JUngpNW
	 5MjeSuMxJR0pXizhaU/VMJN8elZHAw9d/T/QZhCLOtIUQ9WzrXKS0o/d6aCWnBt+2M
	 VeAMAUEiPzp5g==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4F65768351
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:19 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id DKs3g9rqbM4A for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:19 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893779;
	bh=RnwmytGi0MFXtNQpmxkO6grjCJD82l6tbpaTWxS5tVg=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=SCOlvGBNqk9rArFv8ZBdfyKS10CA3AdoYlHNm3vb2610a7ZexmqmWV+xwx3F+rbrO
	 MphXkxOjwDVYa4FN17L/vU0JOY33QpfDc4kdlbQf7cT9QJSBQqs9QPGG/ynDVIU7vP
	 TPykhN4lvnWVXwT6XhOgtiBWaEsGwNWiS7xx7GAYFcgzdIQvQhsJPH9luNmtthIFao
	 SIZJTn1Bj+l/wrizyUvb06a6bSYpf8Q3uwF4wpBrlqv0XBLWaIB9LDMarw3JUngpNW
	 5MjeSuMxJR0pXizhaU/VMJN8elZHAw9d/T/QZhCLOtIUQ9WzrXKS0o/d6aCWnBt+2M
	 VeAMAUEiPzp5g==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 3EECD682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:19 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893776;
	bh=mrLEepDf+hh8TAix/7WqLWQr2Vew0JtTvRPmfIC7Enw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=P24dYx7nlCYG4Wxcn3pCMGceNtyTOYXIQ0dsGt+enpIowwxancVbSPjaf+KF6PB37
	 qgoSrQlgODWKUEXV4PicOFJQmYIckB0znE+BTNANExJwcMX4nhj4hejNoKSCTeHLwk
	 9CWlbiUNH8njpRYbDwG5PhkTlRHutIsNMDLytp2NbV0oinkhFHJV+NoH6i+dmCQYgY
	 pUpFIVgc8LUXS9NK6L0r7ZGFXvv7Yf3KPS9lGNvD6A1IR54QZxHq3QiCeuX9ctRGZt
	 Ro93z9OTZJB5T05aDN95raNF+HAWXLdvRfySf6gRcRScECugtu3SolVvPMKdn9bvi9
	 afvlpKztbZRiQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id B03CF682CD;
	Fri, 31 Oct 2025 00:56:16 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id eEaEjx7xS9dc; Fri, 31 Oct 2025 00:56:16 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893772;
	bh=BXkN2GnQsyyCW7D/jUyGzOC99IVV3urclluBDG/hhpA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=AAyjW1Q1mjuvNfd/pD7eWbShOYtKcX9C5uyMDMhQ23jRXy8CSBUlmUlr61cxAf4XI
	 z8DRD9PunLecnxP8GwerXGKyN4nknRKgB03eLKBoOr2nlvciy+FVXMzwTQxIxkq6a5
	 hZEQzBXNV8MnSDoIGrUIWEoDnNbj6xnKy34XbzonCGCngHvjEmscTiOjtVdr0x1mUZ
	 C37Y1e1SFnoZEVKtkdbFKOQ6eZ3CXjy2aY8TEQGaQhOhWH+1pHZWyE0paBpl0aW1sY
	 NIbKgL7YN1o5qrbQh96PAbX9G6BahQDr4u2sBo0m4zI0K89JOuixKly+nqrC9SOG3z
	 X3RdEX0rJNIVQ==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 310FC5FBA9;
	Fri, 31 Oct 2025 00:56:12 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:13 -0600
Message-ID: <20251031065439.3251464-18-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: MFJD3VZKYWG5EY7KCSHHML32KUS6PVG6
X-Message-ID-Hash: MFJD3VZKYWG5EY7KCSHHML32KUS6PVG6
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 17/24] luks: Add a simple command
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/MFJD3VZKYWG5EY7KCSHHML32KUS6PVG6/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add a 'luks' command which allows querying a partition to see if it is
encrypted using LUKS, as well as showing information about a LUKS
partition.

Provide some documentation and a test.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 MAINTAINERS            |   2 +
 cmd/Kconfig            |   9 +++
 cmd/Makefile           |   1 +
 cmd/luks.c             |  67 ++++++++++++++++++++
 doc/usage/cmd/luks.rst | 139 +++++++++++++++++++++++++++++++++++++++++
 doc/usage/index.rst    |   1 +
 drivers/block/luks.c   |  59 +++++++++++++++--
 test/boot/luks.c       |  42 +++++++++++++
 8 files changed, 315 insertions(+), 5 deletions(-)
 create mode 100644 cmd/luks.c
 create mode 100644 doc/usage/cmd/luks.rst

diff --git a/MAINTAINERS b/MAINTAINERS
index 08d3806b6c7..9b00829db93 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1293,6 +1293,8 @@ LUKS
 M:	Simon Glass <sjg@chromium.org>
 S:	Maintained
 T:	git https://concept.u-boot.org/u-boot/u-boot.git
+F:	cmd/luks.c
+F:	doc/usage/cmd/luks.rst
 F:	drivers/block/luks.c
 F:	include/luks.h
 F:	test/boot/luks.c
diff --git a/cmd/Kconfig b/cmd/Kconfig
index f4d6e544cc0..a45df78c8fd 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -2819,6 +2819,15 @@ config CMD_FS_UUID
 	help
 	  Enables fsuuid command for filesystem UUID.
 
+config CMD_LUKS
+	bool "luks command"
+	depends on BLK_LUKS
+	default y if BLK_LUKS
+	help
+	  Enables the 'luks' command for detecting LUKS (Linux Unified Key
+	  Setup) encrypted partitions. This command checks if a partition
+	  is LUKS encrypted and displays the LUKS version (1 or 2).
+
 config CMD_JFFS2
 	bool "jffs2 command"
 	select FS_JFFS2
diff --git a/cmd/Makefile b/cmd/Makefile
index 28e9c261683..2c6a16752bd 100644
--- a/cmd/Makefile
+++ b/cmd/Makefile
@@ -90,6 +90,7 @@ obj-$(CONFIG_CMD_SQUASHFS) += sqfs.o
 obj-$(CONFIG_CMD_SELECT_FONT) += font.o
 obj-$(CONFIG_CMD_FLASH) += flash.o
 obj-$(CONFIG_CMD_FPGA) += fpga.o
+obj-$(CONFIG_CMD_LUKS) += luks.o
 obj-$(CONFIG_CMD_FPGAD) += fpgad.o
 obj-$(CONFIG_CMD_FS_GENERIC) += fs.o
 obj-$(CONFIG_CMD_FUSE) += fuse.o
diff --git a/cmd/luks.c b/cmd/luks.c
new file mode 100644
index 00000000000..04ddcdb1d46
--- /dev/null
+++ b/cmd/luks.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * LUKS (Linux Unified Key Setup) command
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ */
+
+#include <blk.h>
+#include <command.h>
+#include <dm.h>
+#include <luks.h>
+#include <part.h>
+
+static int do_luks_detect(struct cmd_tbl *cmdtp, int flag, int argc,
+			  char *const argv[])
+{
+	struct blk_desc *dev_desc;
+	struct disk_partition info;
+	int part, ret, version;
+
+	if (argc != 3)
+		return CMD_RET_USAGE;
+
+	part = blk_get_device_part_str(argv[1], argv[2], &dev_desc, &info, 1);
+	if (part < 0)
+		return CMD_RET_FAILURE;
+
+	ret = luks_detect(dev_desc->bdev, &info);
+	if (ret < 0) {
+		printf("Not a LUKS partition (error %dE)\n", ret);
+		return CMD_RET_FAILURE;
+	}
+	version = luks_get_version(dev_desc->bdev, &info);
+	printf("LUKS%d encrypted partition detected\n", version);
+
+	return CMD_RET_SUCCESS;
+}
+
+static int do_luks_info(struct cmd_tbl *cmdtp, int flag, int argc,
+			char *const argv[])
+{
+	struct blk_desc *dev_desc;
+	struct disk_partition info;
+	int part, ret;
+
+	if (argc != 3)
+		return CMD_RET_USAGE;
+
+	part = blk_get_device_part_str(argv[1], argv[2], &dev_desc, &info, 1);
+	if (part < 0)
+		return CMD_RET_FAILURE;
+
+	ret = luks_show_info(dev_desc->bdev, &info);
+	if (ret < 0)
+		return CMD_RET_FAILURE;
+
+	return CMD_RET_SUCCESS;
+}
+
+static char luks_help_text[] =
+	"detect <interface> <dev[:part]> - detect if partition is LUKS encrypted\n"
+	"luks info <interface> <dev[:part]> - show LUKS header information";
+
+U_BOOT_CMD_WITH_SUBCMDS(luks, "LUKS (Linux Unified Key Setup) operations",
+			luks_help_text,
+	U_BOOT_SUBCMD_MKENT(detect, 3, 1, do_luks_detect),
+	U_BOOT_SUBCMD_MKENT(info, 3, 1, do_luks_info));
diff --git a/doc/usage/cmd/luks.rst b/doc/usage/cmd/luks.rst
new file mode 100644
index 00000000000..b88fcd96439
--- /dev/null
+++ b/doc/usage/cmd/luks.rst
@@ -0,0 +1,139 @@
+.. SPDX-License-Identifier: GPL-2.0+:
+
+.. index::
+   single: luks (command)
+
+luks command
+============
+
+Synopsis
+--------
+
+::
+
+    luks detect <interface> <dev[:part]>
+    luks info <interface> <dev[:part]>
+
+Description
+-----------
+
+The *luks* command provides an interface to detect and inspect LUKS
+(Linux Unified Key Setup) encrypted partitions. LUKS is a disk encryption
+specification used for full disk encryption on Linux systems.
+
+This command supports:
+
+* Detection of LUKS encrypted partitions (LUKS1 and LUKS2)
+* Display of LUKS header information
+* Access to decrypted data via blkmap devices
+
+The LUKS format uses a distinctive header containing:
+
+* Magic bytes: "LUKS" followed by 0xBA 0xBE
+* Version information (16-bit big-endian)
+* Encryption metadata (cipher, mode, hash specification)
+
+luks detect
+~~~~~~~~~~~
+
+Detect whether a specified partition is LUKS encrypted and report its version.
+
+interface
+    The storage interface type (e.g., mmc, usb, scsi)
+
+dev[:part]
+    The device number and optional partition number. If partition is omitted,
+    defaults to the whole device.
+
+luks info
+~~~~~~~~~
+
+Display detailed header information for a LUKS encrypted partition. This
+subcommand reads the LUKS header and displays format-specific metadata.
+
+For LUKS1 partitions, the following information is displayed:
+
+* Version number
+* Cipher name (encryption algorithm)
+* Cipher mode (e.g., xts-plain64)
+* Hash specification (e.g., sha256)
+* Payload offset (in sectors)
+* Key bytes (key size)
+
+For LUKS2 partitions, the following information is displayed:
+
+* Version number
+* Header size (in bytes)
+* Sequence ID (metadata update counter)
+* UUID (partition identifier)
+* Label (optional partition label)
+* Checksum algorithm
+* Full JSON metadata containing:
+
+  - keyslots: Encryption key slot information including KDF parameters
+  - tokens: Optional token metadata
+  - segments: Encrypted data segment descriptions
+  - digests: Master key digest information
+  - config: Configuration parameters
+
+interface
+    The storage interface type (e.g., mmc, usb, scsi)
+
+dev[:part]
+    The device number and optional partition number. If partition is omitted,
+    defaults to the whole device.
+
+Examples
+--------
+
+Check if MMC device 0 partition 2 is LUKS encrypted::
+
+    => luks detect mmc 0:2
+    LUKS2 encrypted partition detected
+
+Check a USB device partition::
+
+    => luks detect usb 0:1
+    Not a LUKS partition (error -2: No such file or directory)
+
+Display LUKS header information for a LUKS2 partition::
+
+    => luks info mmc 0:2
+    Version:        2
+    Header size:    16384 bytes
+    Sequence ID:    3
+    UUID:           7640da3a-d0a2-4238-9813-4714e7f62203
+    Label:
+    Checksum alg:   sha256
+
+Display LUKS header information for a LUKS1 partition::
+
+    => luks info mmc 1:1
+    Version:        1
+    Cipher name:    aes
+    Cipher mode:    cbc-essiv:sha256
+    Hash spec:      sha256
+    Payload offset: 4096 sectors
+    Key bytes:      32
+
+Configuration
+-------------
+
+The luks command is available when CONFIG_CMD_LUKS is enabled.
+
+For LUKS detection and info commands::
+
+    CONFIG_BLK_LUKS=y
+    CONFIG_CMD_LUKS=y
+
+Return value
+------------
+
+For *detect* and *info*: The return value $? is 0 (true) on success, 1 (false)
+on failure.
+
+See also
+--------
+
+* cryptsetup project: https://gitlab.com/cryptsetup/cryptsetup
+* LUKS on-disk format specifications: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home
diff --git a/doc/usage/index.rst b/doc/usage/index.rst
index 2fff101868c..2bb01211227 100644
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@@ -93,6 +93,7 @@ Shell commands
    cmd/loads
    cmd/loadx
    cmd/loady
+   cmd/luks
    cmd/meminfo
    cmd/mbr
    cmd/md
diff --git a/drivers/block/luks.c b/drivers/block/luks.c
index 189226cb0ab..597359b98ff 100644
--- a/drivers/block/luks.c
+++ b/drivers/block/luks.c
@@ -22,15 +22,13 @@
 
 int luks_get_version(struct udevice *blk, struct disk_partition *pinfo)
 {
-	struct blk_desc *desc;
+	struct blk_desc *desc = dev_get_uclass_plat(blk);
+	ALLOC_CACHE_ALIGN_BUFFER(unsigned char, buffer, desc->blksz);
 	int version;
 
-	desc = dev_get_uclass_plat(blk);
-
-	ALLOC_CACHE_ALIGN_BUFFER(unsigned char, buffer, desc->blksz);
 
 	/* Read first block of the partition */
-	if (blk_dread(desc, pinfo->start, 1, buffer) != 1) {
+	if (blk_read(blk, pinfo->start, 1, buffer) != 1) {
 		log_debug("Error: failed to read LUKS header\n");
 		return -EIO;
 	}
@@ -61,3 +59,54 @@ int luks_detect(struct udevice *blk, struct disk_partition *pinfo)
 
 	return 0;
 }
+
+int luks_show_info(struct udevice *blk, struct disk_partition *pinfo)
+{
+	struct blk_desc *desc = dev_get_uclass_plat(blk);
+	ALLOC_CACHE_ALIGN_BUFFER(unsigned char, buffer, desc->blksz);
+	int version;
+
+	/* Read first block of the partition */
+	if (blk_read(blk, pinfo->start, 1, buffer) != 1) {
+		printf("Error: failed to read LUKS header\n");
+		return -EIO;
+	}
+
+	/* Check for LUKS magic bytes */
+	if (memcmp(buffer, LUKS_MAGIC, LUKS_MAGIC_LEN)) {
+		printf("Not a LUKS partition\n");
+		return -ENOENT;
+	}
+
+	/* Read version field */
+	version = be16_to_cpu(*(__be16 *)(buffer + LUKS_MAGIC_LEN));
+
+	printf("Version:        %d\n", version);
+	if (version == LUKS_VERSION_1) {
+		struct luks1_phdr *luks1_hdr = (struct luks1_phdr *)buffer;
+
+		printf("Cipher name:    %.32s\n", luks1_hdr->cipher_name);
+		printf("Cipher mode:    %.32s\n", luks1_hdr->cipher_mode);
+		printf("Hash spec:      %.32s\n", luks1_hdr->hash_spec);
+		printf("Payload offset: %u sectors\n",
+		       be32_to_cpu(luks1_hdr->payload_offset));
+		printf("Key bytes:      %u\n",
+		       be32_to_cpu(luks1_hdr->key_bytes));
+	} else if (version == LUKS_VERSION_2) {
+		struct luks2_hdr *luks2_hdr = (struct luks2_hdr *)buffer;
+		u64 hdr_size;
+
+		hdr_size = be64_to_cpu(luks2_hdr->hdr_size);
+
+		printf("Header size:    %llu bytes\n", hdr_size);
+		printf("Sequence ID:    %llu\n", be64_to_cpu(luks2_hdr->seqid));
+		printf("UUID:           %.40s\n", luks2_hdr->uuid);
+		printf("Label:          %.48s\n", luks2_hdr->label);
+		printf("Checksum alg:   %.32s\n", luks2_hdr->csum_alg);
+	} else {
+		printf("Unknown LUKS version\n");
+		return -EPROTONOSUPPORT;
+	}
+
+	return 0;
+}
diff --git a/test/boot/luks.c b/test/boot/luks.c
index 684fd643c3a..fadd3819ffe 100644
--- a/test/boot/luks.c
+++ b/test/boot/luks.c
@@ -65,3 +65,45 @@ static int bootstd_test_luks_detect(struct unit_test_state *uts)
 	return 0;
 }
 BOOTSTD_TEST(bootstd_test_luks_detect, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKS command on mmc11 partitions */
+static int bootstd_test_luks_cmd(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc11(uts, &mmc));
+
+	/* Test partition 1 - should NOT be LUKS */
+	ut_asserteq(1, run_command("luks detect mmc b:1", 0));
+	ut_assert_nextlinen("Not a LUKS partition (error -");
+	ut_assert_console_end();
+
+	/* Test partition 2 - should BE LUKS */
+	ut_assertok(run_command("luks detect mmc b:2", 0));
+	ut_assert_nextline("LUKS1 encrypted partition detected");
+	ut_assert_console_end();
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks_cmd, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKS info command on mmc11 partition 2 */
+static int bootstd_test_luks_info(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc11(uts, &mmc));
+
+	/* Test partition 2 LUKS info */
+	ut_assertok(run_command("luks info mmc b:2", 0));
+	ut_assert_nextline("Version:        1");
+	ut_assert_nextlinen("Cipher name:");
+	ut_assert_nextlinen("Cipher mode:");
+	ut_assert_nextlinen("Hash spec:");
+	ut_assert_nextlinen("Payload offset:");
+	ut_assert_nextlinen("Key bytes:");
+	ut_assert_console_end();
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);

From patchwork Fri Oct 31 06:54:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 668
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893781;
	bh=k+MT8OgHsSA76FCQZwX54c51xkPJ9vLINqoBXWWNCC4=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=MSOMO0cr2KzXjfVvBql15HfN4kW3hKZgs2zJAgva0DT/Todqz/S1HUeT8UH0Xgocj
	 2SUYwME228r+bP1O0HzILYA1LbODOAkhxUVRJ5AYhEcupn2Bku+YYHZHxfNra/JrEq
	 qvtmstdxCZ7JagJGNIDCND1BXeeauWfwxyR7yc3JvihrXn1nmm0LIQ0RC8xexBWYfO
	 6FYTKuWAQixtIcx/0SA5TjndPAeNPLRAvuRYZ5AcWdjPgythO/bK+2Hv/5wcD7fOgT
	 c2lweWiI71kJ0rWp67OtERuPA1o6/xA7Rxp1b9MJBcNijOVKTRMB2fxk7+5LDxahPB
	 vMXqyMgChUlkQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id A2D3E682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:21 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id XY-ZZ0NyUAbs for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:21 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893779;
	bh=k+MT8OgHsSA76FCQZwX54c51xkPJ9vLINqoBXWWNCC4=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=SuGSgUmqJ2Pq5iOL3qkXj8b62fQ6ZTIpUx2vxRpyIdXnioqO6Lgj05AehqT2sf28y
	 PpLYjrAdTygTBwpbIeE4qQVyYk8I82zZnYkZTILEtWrW7Wmh+H4HOXCrNleYFPvs7t
	 rJDSuhturNpS0AH4H3JIyR3vLtAZjlFeLnkZxWIylpIV2ag5RO+c+c3gT98gmNu8ZR
	 e518GMHi9alR21aoZIQOBggcszdEBHrZV/NIlEvvWFtA0tcVYpPshb9zqutu+vfen+
	 B4yLC6MMcSPPt+aGquYBVfjY+W+BlZAhmqGhWbx3ia2do+JoQn1mMBNl7z/1igQjRB
	 Mgdxehj90WxZQ==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 9F5EA682CD
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:19 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893777;
	bh=p9DtwHLKYZi74v5LYbUHWTNZh6/bFCbT52dmOPY1mLg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=vE4soZDuaC4wpBgIcwz6YuOt71uSrbkXMLLGe7dlM6E7Xst0HLvY08Cx46Oe7vFCi
	 SYGkFhcHTsFJTJ5XQ2Ik/cQnJo6ggZpeooy98BKYJAc0bn0QTSFN0kuCrXl3B0GyIV
	 R8/hNnDmXCennVJ9nHhufIqjG1PwmQzquTqo7U2inrZzW5P+xtZtDbpQWur3FbTMrK
	 ek1bIsOTa+0QhKzmDPp9cSCUw651mklBrol2sGQC74OSxd5nsdqtmqBzDRSckH+QdL
	 d4Vp0PRakfdK022lCz36Qx1SQGH+GUyUPG//aI8cEWfhv/JriEdCCM67mpvkD3OC4N
	 f2geVzEPx99qQ==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id BC5DA682CD;
	Fri, 31 Oct 2025 00:56:17 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id 0DTVVb_Vfo6Q; Fri, 31 Oct 2025 00:56:17 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893777;
	bh=GfBq2S82sWZ7MIWUGCkSq/K9HjyyFw6Mb1hMTgy7ooM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=b0L/WvgfuUf5/GsV9WYs6J9J5fTnowUCDijYL3fdACqEm15szCD5nbnLBsjNdGvyn
	 1aIOkuhYEMLvQhidJySwHRSwzAMAs7cuf9acGfYm1F5yDIiEfmfj+mo467HcoEa1L2
	 fFGkSSUNrHfFvdZKSXiCFtMqQGiDA47ldh0K8UTYo2DgR0duNeaw6rpazeF08kvtJC
	 KtaeD6NSe/UUjbhuFLLqOyovGsmTrvhUQhA0d2YAu/lIN4nhtbtDUnjlx6RnbgeouK
	 ayJZYYzI+ob8aT5DZr6nMToBGwswDRWT/BI2EDBi4GNIcbJ/MmaYra4ljY6a5QPQIn
	 oj5Us1dw9t58Q==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 0035C5FBA9;
	Fri, 31 Oct 2025 00:56:16 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:14 -0600
Message-ID: <20251031065439.3251464-19-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: N5XACBT2ULX5SYY7SZZMJ4MAPQGINTEQ
X-Message-ID-Hash: N5XACBT2ULX5SYY7SZZMJ4MAPQGINTEQ
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 18/24] luks: Create a very simple JSON library
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/N5XACBT2ULX5SYY7SZZMJ4MAPQGINTEQ/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

LUKS version 2 uses JSON as a means of communicating the key
information. Add a simple library which can print JSON in a
human-readable format.

Note that it does not fully parse the JSON fragment. That may be
considered later, if needed.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 MAINTAINERS       |   3 +
 include/json.h    |  23 +++++
 lib/Kconfig       |   7 ++
 lib/Makefile      |   1 +
 lib/json.c        | 122 +++++++++++++++++++++++++++
 test/lib/Makefile |   1 +
 test/lib/json.c   | 211 ++++++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 368 insertions(+)
 create mode 100644 include/json.h
 create mode 100644 lib/json.c
 create mode 100644 test/lib/json.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 9b00829db93..a0374df1c4d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1297,7 +1297,10 @@ F:	cmd/luks.c
 F:	doc/usage/cmd/luks.rst
 F:	drivers/block/luks.c
 F:	include/luks.h
+F:	include/json.h
+F:	lib/json.c
 F:	test/boot/luks.c
+F:	test/lib/json.c
 
 MALI DISPLAY PROCESSORS
 M:	Liviu Dudau <liviu.dudau@foss.arm.com>
diff --git a/include/json.h b/include/json.h
new file mode 100644
index 00000000000..4d925e9db36
--- /dev/null
+++ b/include/json.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * JSON utilities
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ * Written by Simon Glass <simon.glass@canonical.com>
+ */
+
+#ifndef __JSON_H__
+#define __JSON_H__
+
+/**
+ * json_print_pretty() - Print JSON with indentation
+ *
+ * This function takes a JSON string and prints it with proper indentation,
+ * making it more human-readable. It handles nested objects and arrays.
+ *
+ * @json:	JSON string to print (may be nul terminated before @len)
+ * @len:	Length of JSON string
+ */
+void json_print_pretty(const char *json, int len);
+
+#endif /* __JSON_H__ */
diff --git a/lib/Kconfig b/lib/Kconfig
index 9de4667731e..c8bf4b4b049 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -976,6 +976,13 @@ config GETOPT
 	help
 	  This enables functions for parsing command-line options.
 
+config JSON
+	bool "Enable JSON parsing and printing"
+	help
+	  This enables JSON (JavaScript Object Notation) parsing and pretty-
+	  printing functions. JSON is used for structured data representation,
+	  such as LUKS2 metadata.
+
 config OF_LIBFDT
 	bool "Enable the FDT library"
 	default y if OF_CONTROL
diff --git a/lib/Makefile b/lib/Makefile
index 43df5733ffd..71c9c0d1766 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -39,6 +39,7 @@ endif
 
 obj-y += crc8.o
 obj-$(CONFIG_ERRNO_STR) += errno_str.o
+obj-$(CONFIG_JSON) += json.o
 obj-$(CONFIG_FIT) += fdtdec_common.o
 obj-$(CONFIG_TEST_FDTDEC) += fdtdec_test.o
 obj-$(CONFIG_GZIP_COMPRESSED) += gzip.o
diff --git a/lib/json.c b/lib/json.c
new file mode 100644
index 00000000000..8cce042d631
--- /dev/null
+++ b/lib/json.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * JSON pretty-printer
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ * Written by Simon Glass <simon.glass@canonical.com>
+ */
+
+#include <ctype.h>
+#include <log.h>
+
+/**
+ * print_indent() - Print indentation spaces
+ *
+ * @indent:	Indentation level (each level is 2 spaces)
+ */
+static void print_indent(int indent)
+{
+	for (int i = 0; i < indent * 2; i++)
+		putc(' ');
+}
+
+void json_print_pretty(const char *json, int len)
+{
+	int indent = 0;
+	bool in_string = false;
+	bool escaped = false;
+	bool after_open = false;
+	int i;
+
+	for (i = 0; i < len && json[i]; i++) {
+		char c = json[i];
+
+		/* Handle escape sequences */
+		if (escaped) {
+			putc(c);
+			escaped = false;
+			continue;
+		}
+
+		if (c == '\\') {
+			putc(c);
+			escaped = true;
+			continue;
+		}
+
+		/* Track whether we're inside a string */
+		if (c == '"') {
+			in_string = !in_string;
+			if (after_open) {
+				print_indent(indent);
+				after_open = false;
+			}
+			putc(c);
+			continue;
+		}
+
+		/* Don't format inside strings */
+		if (in_string) {
+			putc(c);
+			continue;
+		}
+
+		/* Format structural characters */
+		switch (c) {
+		case '{':
+		case '[':
+			if (after_open) {
+				print_indent(indent);
+				after_open = false;
+			}
+			putc(c);
+			putc('\n');
+			indent++;
+			after_open = true;
+			break;
+
+		case '}':
+		case ']':
+			if (!after_open) {
+				putc('\n');
+				indent--;
+				print_indent(indent);
+			} else {
+				indent--;
+			}
+			putc(c);
+			after_open = false;
+			break;
+
+		case ',':
+			putc(c);
+			putc('\n');
+			print_indent(indent);
+			after_open = false;
+			break;
+
+		case ':':
+			putc(c);
+			putc(' ');
+			after_open = false;
+			break;
+
+		case ' ':
+		case '\t':
+		case '\n':
+		case '\r':
+			/* Skip whitespace outside strings */
+			break;
+
+		default:
+			if (after_open) {
+				print_indent(indent);
+				after_open = false;
+			}
+			putc(c);
+			break;
+		}
+	}
+
+	putc('\n');
+}
diff --git a/test/lib/Makefile b/test/lib/Makefile
index 5c89421918b..1d94d6604d5 100644
--- a/test/lib/Makefile
+++ b/test/lib/Makefile
@@ -12,6 +12,7 @@ obj-$(CONFIG_EFI_LOADER) += efi_device_path.o
 obj-$(CONFIG_EFI_SECURE_BOOT) += efi_image_region.o
 obj-$(CONFIG_EFI_LOG) += efi_log.o
 obj-y += hexdump.o
+obj-$(CONFIG_JSON) += json.o
 obj-$(CONFIG_SANDBOX) += kconfig.o
 obj-y += lmb.o
 obj-$(CONFIG_HAVE_SETJMP) += longjmp.o
diff --git a/test/lib/json.c b/test/lib/json.c
new file mode 100644
index 00000000000..76afeb9b241
--- /dev/null
+++ b/test/lib/json.c
@@ -0,0 +1,211 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Tests for JSON pretty-printer
+ *
+ * Copyright (C) 2025 Canonical Ltd
+ * Written by Simon Glass <simon.glass@canonical.com>
+ */
+
+#include <json.h>
+#include <test/lib.h>
+#include <test/test.h>
+#include <test/ut.h>
+
+static int lib_test_json_simple_object(struct unit_test_state *uts)
+{
+	const char *json = "{\"name\":\"value\"}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"name\": \"value\"");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_simple_object, UTF_CONSOLE);
+
+static int lib_test_json_simple_array(struct unit_test_state *uts)
+{
+	const char *json = "[1,2,3]";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("[");
+	ut_assert_nextline("  1,");
+	ut_assert_nextline("  2,");
+	ut_assert_nextline("  3");
+	ut_assert_nextline("]");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_simple_array, UTF_CONSOLE);
+
+static int lib_test_json_nested_object(struct unit_test_state *uts)
+{
+	const char *json = "{\"outer\":{\"inner\":\"value\"}}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"outer\": {");
+	ut_assert_nextline("    \"inner\": \"value\"");
+	ut_assert_nextline("  }");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_nested_object, UTF_CONSOLE);
+
+static int lib_test_json_nested_array(struct unit_test_state *uts)
+{
+	const char *json = "[[1,2],[3,4]]";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("[");
+	ut_assert_nextline("  [");
+	ut_assert_nextline("    1,");
+	ut_assert_nextline("    2");
+	ut_assert_nextline("  ],");
+	ut_assert_nextline("  [");
+	ut_assert_nextline("    3,");
+	ut_assert_nextline("    4");
+	ut_assert_nextline("  ]");
+	ut_assert_nextline("]");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_nested_array, UTF_CONSOLE);
+
+static int lib_test_json_mixed_nested(struct unit_test_state *uts)
+{
+	const char *json = "{\"array\":[1,{\"nested\":\"obj\"}]}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"array\": [");
+	ut_assert_nextline("    1,");
+	ut_assert_nextline("    {");
+	ut_assert_nextline("      \"nested\": \"obj\"");
+	ut_assert_nextline("    }");
+	ut_assert_nextline("  ]");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_mixed_nested, UTF_CONSOLE);
+
+static int lib_test_json_string_with_colon(struct unit_test_state *uts)
+{
+	const char *json = "{\"url\":\"http://example.com\"}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"url\": \"http://example.com\"");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_string_with_colon, UTF_CONSOLE);
+
+static int lib_test_json_string_with_comma(struct unit_test_state *uts)
+{
+	const char *json = "{\"name\":\"last, first\"}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"name\": \"last, first\"");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_string_with_comma, UTF_CONSOLE);
+
+static int lib_test_json_string_with_braces(struct unit_test_state *uts)
+{
+	const char *json = "{\"text\":\"some {braces} here\"}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"text\": \"some {braces} here\"");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_string_with_braces, UTF_CONSOLE);
+
+static int lib_test_json_escaped_quote(struct unit_test_state *uts)
+{
+	const char *json = "{\"quote\":\"He said \\\"hello\\\"\"}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"quote\": \"He said \\\"hello\\\"\"");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_escaped_quote, UTF_CONSOLE);
+
+static int lib_test_json_multiple_fields(struct unit_test_state *uts)
+{
+	const char *json = "{\"name\":\"test\",\"age\":25,\"active\":true}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"name\": \"test\",");
+	ut_assert_nextline("  \"age\": 25,");
+	ut_assert_nextline("  \"active\": true");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_multiple_fields, UTF_CONSOLE);
+
+static int lib_test_json_empty_object(struct unit_test_state *uts)
+{
+	const char *json = "{}";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_empty_object, UTF_CONSOLE);
+
+static int lib_test_json_empty_array(struct unit_test_state *uts)
+{
+	const char *json = "[]";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("[");
+	ut_assert_nextline("]");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_empty_array, UTF_CONSOLE);
+
+static int lib_test_json_whitespace(struct unit_test_state *uts)
+{
+	const char *json = "{ \"name\" : \"value\" , \"num\" : 42 }";
+
+	json_print_pretty(json, strlen(json));
+	ut_assert_nextline("{");
+	ut_assert_nextline("  \"name\": \"value\",");
+	ut_assert_nextline("  \"num\": 42");
+	ut_assert_nextline("}");
+	ut_assert_console_end();
+
+	return 0;
+}
+LIB_TEST(lib_test_json_whitespace, UTF_CONSOLE);

From patchwork Fri Oct 31 06:54:15 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 669
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893786;
	bh=1WNu/0fkn/NpUjZHKFh9lBajdjt13qYcXAIAhcHvaEY=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=fZB0FJt9VOmgDk6UADrALautGa+N8NcTQqm+Ueh23Q5TqxjLTSGMQCQUkYxJwNM8A
	 WmwVE1jTqBAxHnnPJItqWdVR6Fi6hLngmEjSJTjDaOBeJoB5Cw4uvoQyg13P1SXzfX
	 kPuh0yWjV+OKLn7fOtmzyyRelXp9atzpYHsjroSHBwHC4rTr8gbvq0i/gP3uvmQl9A
	 T33Zjk/ysXsU0Q/dxxpny+Iw12DYXJ1K8696AM61LOkjF71iUTybV5w30XzlojL6Am
	 Wdz/MbnXs8+8CGxDo++THA98mbhkr78mrbWm+/yDDQ4ojCshPbOeoAgcCg5F+VUjts
	 510gtlthXWDEA==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 7956D68326
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:26 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id fUVAS1wA9tq1 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:26 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893786;
	bh=1WNu/0fkn/NpUjZHKFh9lBajdjt13qYcXAIAhcHvaEY=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=fZB0FJt9VOmgDk6UADrALautGa+N8NcTQqm+Ueh23Q5TqxjLTSGMQCQUkYxJwNM8A
	 WmwVE1jTqBAxHnnPJItqWdVR6Fi6hLngmEjSJTjDaOBeJoB5Cw4uvoQyg13P1SXzfX
	 kPuh0yWjV+OKLn7fOtmzyyRelXp9atzpYHsjroSHBwHC4rTr8gbvq0i/gP3uvmQl9A
	 T33Zjk/ysXsU0Q/dxxpny+Iw12DYXJ1K8696AM61LOkjF71iUTybV5w30XzlojL6Am
	 Wdz/MbnXs8+8CGxDo++THA98mbhkr78mrbWm+/yDDQ4ojCshPbOeoAgcCg5F+VUjts
	 510gtlthXWDEA==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 67A355FBA9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:26 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893783;
	bh=tNzNVZUF0Ok65yYwczU5MH/gE0OjXpj8gEXtGmkQqJk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=fPGezQlWDfLmA+BWbZrsbf9Aw3dN9syDkdV+V1AVdeTB3ffYwG2JKqgWbhBL5HPKj
	 VrtdwGnWr/2d7HlOHp9f1bziCZj8hjgaRJ4NC2IGsd/PaX2YcxEX4+4FQD7uFxSCo6
	 T6TiGfhR7FG//rTAsSSZOr79sW5t+45BIbHNfMIFLf8SssFsr3UzG4ls3Rg2gIZYbt
	 SFRHw3BZfpK+52nTFtKWxyNKbqEur7lrUjbcA9yZDLHxdJWCmw/mIyM99bJXSd5sA1
	 aXUIHXMmPoWrObUAt1zQ0CDksa7jUgDlrxyUvsD/+F8FlKSYdBoYWx6VBcraJvrL5g
	 Dh7NKTFqSSx1w==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DC71A68316;
	Fri, 31 Oct 2025 00:56:23 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id H7yRSAeGrFfk; Fri, 31 Oct 2025 00:56:23 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893778;
	bh=0zaZD5NU1j+hwQx90qUjzSKDkx1jmG65Y1aHCY/xYyk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=jEBSaRoSM79eb7J5C7IUtpyyS9AFbnq0yQWJoWhlWBIBck6Uj88YX+5Fm1xNQTkYO
	 Ppvs3hiVgV8JIZ9tLATCpW6G+x2Md+9ERXTAkU2P7N8Hx7EHvPtdS97iMqGvHVRONz
	 vj+pq/IhMkc9iYmv9rmxcC3Wp89hKQeTNi4DnziThMukJVUE0sUNH8ypstirKLorIl
	 sZPSMBwECnEPddYYxTtq4R9iPUoYOqWj49/2wlY5BALbzJSnpyPpBwbDBJfQdvtUe/
	 6t9K6qEZPvyuNbKx4/eE/fFD64o0InIgjQIBzTHfyMPZnhkYXIss5mgM0NzeUyK+NR
	 QMhvjnnS6lA7Q==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 081E95FBA9;
	Fri, 31 Oct 2025 00:56:17 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:15 -0600
Message-ID: <20251031065439.3251464-20-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: 6OYY73ZS2JX44WTNIN363UNKJPEFFG7M
X-Message-ID-Hash: 6OYY73ZS2JX44WTNIN363UNKJPEFFG7M
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 19/24] luks: Create a disk image with LUKS2
 encryption
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/6OYY73ZS2JX44WTNIN363UNKJPEFFG7M/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add a new mmc12 image which has a LUKS2-encrypted ext4 partition.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 arch/sandbox/dts/test.dts  |  8 ++++++
 test/py/img/common.py      |  7 ++---
 test/py/img/ubuntu.py      |  4 +--
 test/py/tests/fs_helper.py | 53 +++++++++++++++++++++++++++-----------
 test/py/tests/test_ut.py   |  3 ++-
 5 files changed, 54 insertions(+), 21 deletions(-)

diff --git a/arch/sandbox/dts/test.dts b/arch/sandbox/dts/test.dts
index 9b0a5736cf8..1d0ebc33387 100644
--- a/arch/sandbox/dts/test.dts
+++ b/arch/sandbox/dts/test.dts
@@ -49,6 +49,7 @@
 		mmc9 = "/mmc9";
 		mmc10 = "/mmc10";
 		mmc11 = "/mmc11";
+		mmc12 = "/mmc12";
 		pci0 = &pci0;
 		pci1 = &pci1;
 		pci2 = &pci2;
@@ -1207,6 +1208,13 @@
 		filename = "mmc11.img";
 	};
 
+	/* This is used for LUKS version 2 tests */
+	mmc12 {
+		status = "disabled";
+		compatible = "sandbox,mmc";
+		filename = "mmc12.img";
+	};
+
 	pch {
 		compatible = "sandbox,pch";
 	};
diff --git a/test/py/img/common.py b/test/py/img/common.py
index 01745ce73b3..3b3fdb2734b 100644
--- a/test/py/img/common.py
+++ b/test/py/img/common.py
@@ -33,7 +33,7 @@ def copy_partition(ubman, fsfile, outname):
 
 
 def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
-                         script, part2_size=1, use_fde=False):
+                         script, part2_size=1, use_fde=0):
     """Create a 20MB disk image with a single FAT partition
 
     Args:
@@ -46,7 +46,7 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
         dtbdir (str or None): Devicetree filename
         script (str): Script to place in the extlinux.conf file
         part2_size (int): Size of second partition in MB (default: 1)
-        use_fde (bool): True to encrypt the ext4 partition with LUKS1
+        use_fde (int): LUKS version for full-disk encryption (0=none, 1=LUKS1, 2=LUKS2)
     """
     fsh = FsHelper(config, 'vfat', 18, prefix=basename)
     fsh.setup()
@@ -82,7 +82,8 @@ def setup_extlinux_image(config, log, devnum, basename, vmlinux, initrd, dtbdir,
 
     ext4 = FsHelper(config, 'ext4', max(1, part2_size - 30), prefix=basename,
                     part_mb=part2_size,
-                    encrypt_passphrase='test' if use_fde else None)
+                    encrypt_passphrase='test' if use_fde else None,
+                    luks_version=use_fde if use_fde else 2)
     ext4.setup()
 
     bindir = os.path.join(ext4.srcdir, 'bin')
diff --git a/test/py/img/ubuntu.py b/test/py/img/ubuntu.py
index 58ee9f20277..b783f7eb3cf 100644
--- a/test/py/img/ubuntu.py
+++ b/test/py/img/ubuntu.py
@@ -7,7 +7,7 @@ from img.common import setup_extlinux_image
 
 
 def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS',
-                       use_fde=False):
+                       use_fde=0):
     """Create a Ubuntu disk image with a FAT partition and ext4 partition
 
     This creates a FAT partition containing extlinux files, kernel, etc. and a
@@ -18,7 +18,7 @@ def setup_ubuntu_image(config, log, devnum, basename, version='24.04.1 LTS',
         log (multiplexed_log.Logfile): Log to write to
         devnum (int): Device number to use, e.g. 1
         basename (str): Base name to use in the filename, e.g. 'mmc'
-        use_fde (bool): True to set up full-disk encryption
+        use_fde (int): LUKS version for full-disk encryption (0=none, 1=LUKS1, 2=LUKS2)
     """
     vmlinux = 'vmlinuz-6.8.0-53-generic'
     initrd = 'initrd.img-6.8.0-53-generic'
diff --git a/test/py/tests/fs_helper.py b/test/py/tests/fs_helper.py
index 49747be1788..914de09e381 100644
--- a/test/py/tests/fs_helper.py
+++ b/test/py/tests/fs_helper.py
@@ -38,12 +38,20 @@ class FsHelper:
                 fsh.mk_fs()
                 ...
 
-        To create an encrypted LUKS1 partition:
+        To create an encrypted LUKS2 partition (default):
 
             with FsHelper(ubman.config, 'ext4', 10, 'mmc1',
                           encrypt_passphrase='test') as fsh:
                 # create files in the fsh.srcdir directory
-                fsh.mk_fs()  # Creates and encrypts the filesystem
+                fsh.mk_fs()  # Creates and encrypts the filesystem with LUKS2
+                ...
+
+        To create an encrypted LUKS1 partition:
+
+            with FsHelper(ubman.config, 'ext4', 10, 'mmc1',
+                          encrypt_passphrase='test', luks_version=1) as fsh:
+                # create files in the fsh.srcdir directory
+                fsh.mk_fs()  # Creates and encrypts the filesystem with LUKS1
                 ...
 
     Properties:
@@ -51,7 +59,7 @@ class FsHelper:
             default value but can be overwritten
     """
     def __init__(self, config, fs_type, size_mb, prefix, part_mb=None,
-                 encrypt_passphrase=None):
+                 encrypt_passphrase=None, luks_version=2):
         """Set up a new object
 
         Args:
@@ -64,7 +72,8 @@ class FsHelper:
                 to size_mb. This can be used to make the partition larger than
                 the filesystem, to create space for disk-encryption metadata
             encrypt_passphrase (str, optional): If provided, encrypt the
-                filesystem with LUKS1 using this passphrase
+                filesystem with LUKS using this passphrase
+            luks_version (int): LUKS version to use (1 or 2). Defaults to 2.
         """
         if ('fat' not in fs_type and 'ext' not in fs_type and
              fs_type not in ['exfat', 'fs_generic']):
@@ -77,6 +86,7 @@ class FsHelper:
         self.prefix = prefix
         self.quiet = True
         self.encrypt_passphrase = encrypt_passphrase
+        self.luks_version = luks_version
 
         # Use a default filename; the caller can adjust it
         leaf = f'{prefix}.{fs_type}.img'
@@ -166,11 +176,10 @@ class FsHelper:
                 self.srcdir = self.tmpdir.name
 
     def encrypt_luks(self, passphrase):
-        """Encrypt the filesystem image with LUKS1
+        """Encrypt the filesystem image with LUKS
 
-        This replaces the filesystem image with a LUKS1-encrypted version.
-        LUKS1 is used because U-Boot's unlock implementation currently only
-        supports LUKS version 1.
+        This replaces the filesystem image with a LUKS-encrypted version.
+        The LUKS version is determined by self.luks_version.
 
         Args:
             passphrase (str): Passphrase for the LUKS container
@@ -180,11 +189,25 @@ class FsHelper:
 
         Raises:
             CalledProcessError: If cryptsetup is not available or fails
+            ValueError: If an unsupported LUKS version is specified
         """
-        # LUKS1 encryption parameters
-        cipher = 'aes-cbc-essiv:sha256'
-        key_size = 256
-        hash_alg = 'sha256'
+        # LUKS encryption parameters
+        if self.luks_version == 1:
+            # LUKS1 parameters
+            cipher = 'aes-cbc-essiv:sha256'
+            key_size = 256
+            hash_alg = 'sha256'
+            luks_type = 'luks1'
+        elif self.luks_version == 2:
+            # LUKS2 parameters (modern defaults)
+            cipher = 'aes-xts-plain64'
+            key_size = 512  # XTS uses 512-bit keys (2x256)
+            hash_alg = 'sha256'
+            luks_type = 'luks2'
+        else:
+            raise ValueError(f"Unsupported LUKS version: {self.luks_version}")
+
+        key_size_str = str(key_size)
 
         # Save the original filesystem image
         orig_fs_img = f'{self.fs_img}.orig'
@@ -214,11 +237,11 @@ class FsHelper:
             stdout=DEVNULL, stderr=DEVNULL, check=False)
 
         try:
-            # Format as LUKS1
+            # Format as LUKS (version determined by luks_type)
             run(['cryptsetup', 'luksFormat',
-                 '--type', 'luks1',
+                 '--type', luks_type,
                  '--cipher', cipher,
-                 '--key-size', str(key_size),
+                 '--key-size', key_size_str,
                  '--hash', hash_alg,
                  '--iter-time', '10',  # Very fast for testing (low security)
                  luks_img],
diff --git a/test/py/tests/test_ut.py b/test/py/tests/test_ut.py
index 218f5a74ac1..94d98b3b73b 100644
--- a/test/py/tests/test_ut.py
+++ b/test/py/tests/test_ut.py
@@ -83,7 +83,8 @@ def test_ut_dm_init_bootstd(u_boot_config, u_boot_log):
     setup_ubuntu_image(u_boot_config, u_boot_log, 3, 'flash', '25.04')
     setup_localboot_image(u_boot_config, u_boot_log)
     setup_vbe_image(u_boot_config, u_boot_log)
-    setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=True)
+    setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=1)
+    setup_ubuntu_image(u_boot_config, u_boot_log, 12, 'mmc', use_fde=2)
 
 def test_ut(ubman, ut_subtest):
     """Execute a "ut" subtest.

From patchwork Fri Oct 31 06:54:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 670
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893788;
	bh=hKapjywgMB78wct1rF3NBXUSrIqHVEI91SGCyfmpXmQ=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=cWnZ90DiFQRf7sar02eBdIB4dJQoMabzujzlA29pl1LF1mjjCFqGnm4fEHhmrx8ZE
	 hIK8S5EIbNKtizLPZWEIsEf6xTmE9j7Vm+przhP+jVHQYJIjpPzRJjamIkjK9+fkfT
	 GxkQ52lj02Vac8kYuyFfh1ihPelPeJwb7FY/gaCXib80KoTTwsW++/d1kbaR9uLCUR
	 sTJEE+VdKkTWhLA45LnARWloXfoTr8Ofo5L5lBBs7myl9Pc9hFa35AdA6MUk9vA8O0
	 4AgN6gjSmcyxzdm2nPYBklnTujfCp+Hp+GasGr4n1k7llagAJ3RKiwrx+xFfN1xibu
	 4z+R4HLjA4ooA==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id D612E68397
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:28 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id Kon4aGNXw1d0 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:28 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893786;
	bh=hKapjywgMB78wct1rF3NBXUSrIqHVEI91SGCyfmpXmQ=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=PEeTN7tfWB0UVn4gEco6lpQD1h0CgTtbctC24JpRg+dhLDs+xoN3kKfU/3LqG+Q+J
	 /Q5y1sIpSXbfWV09fX/Va2/u5mBkP0bx6rJP5ep00IQR41GXXn2LNBlQDhELtdfNR5
	 bMvqtCq28XzxT0rWTmY+f2vQlr4KwRMHwwv9KOuKXpJ0D6OpLgnV1y0jvrKeADObz3
	 JJ/V3L3uIjb65zJHJJ8ASedMt8LKgh5p2Y1I5tp5nO4sxhYAHfqu/2ggIrOp3JvIYF
	 rWYihfRaWG0VzKhTFIuaPLN78aNdylYkQWq1Cpk7aVrhUaLD0bXbILJEkXWInMBSTt
	 NJxZnlAHj36CA==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id CEC5D5FBA9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:26 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893783;
	bh=0jOPJKeHfgLnwCIuuginjo74GdcQiP7hh8ghXrHf8tM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=v1eKLBZw15qVjUyA5p3qNDhHsyxSwKriYlHmBZVLlt0pCcMSm8j7g/9RBKl8m/DAe
	 U3Oq3pWMgqKZBCJoJ2teFYYIIXqiY2u08igS3J/81H7fUix3Fgm+igXiLiaRBr6yen
	 SpHNQfu8+9Hb1v25QZXYuWz8tZeD1LQk3xKGB6KweSzl5RhJSIPn/cTYN/hzTJRrdH
	 65wNn4qVstlcoz+G750oCd+hhAZY6j6GcLoqeRJxvJq8PPXcjuqm5MYVo3Mh/yi3Ml
	 SO8t+OrSwUy88mR45fFXLUdqaYzbIWrCrG0QuPMw6xYoRHPYqGiv86HvoyVnD2JoYr
	 Wgbc3OLGzSXfg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id E5B5C5FBA9;
	Fri, 31 Oct 2025 00:56:23 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id GGIJaeexQPyj; Fri, 31 Oct 2025 00:56:23 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893783;
	bh=8Z72hCNuIEkhX6BYJjldXjJt2BRFcwb5+aOgcogORm8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=DPKzMd0hz4hF6pWkZqPlQ/iUMVZ+zAY5USgYHbVe4RqRuUYGmIaWJChNBRoGhgLst
	 jjKrbxNaezw/ABfF+JjoqorKIC+K47+WWfyG7nPaf+HtrGxclsJSseYLkMMoYho8dd
	 LR44dPFfgDNb7CYupXmGDMGGudoq0Qpn2iEUR2yVraTe3vIfy0zl27YgVxupo7saP/
	 axhIwZyfZD2FvjmLoNcEabuZ6oMTsPZZuzXlT2ct3spkSnYy2I5yllYgK1eSad6uV0
	 TWeeoav2/cQXLQPzGuqgGYsS8WKeeFoKgV6hjVJidLOiGLIHDBgcTvVgiQKtS/TlTs
	 AfwjKjlBNFTuw==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id BF42A682E9;
	Fri, 31 Oct 2025 00:56:22 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:16 -0600
Message-ID: <20251031065439.3251464-21-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: BEDQVWAU6C7ZFPM5ZOOCUYW6C6TCLF73
X-Message-ID-Hash: BEDQVWAU6C7ZFPM5ZOOCUYW6C6TCLF73
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 20/24] luks: Show the JSON information for LUKSv2
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/BEDQVWAU6C7ZFPM5ZOOCUYW6C6TCLF73/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Extract the full information for version 2, which is JSON format. Show
this with the 'luks info' command.

Use the mmc12 disk to check this.

Require the JSON for LUKS.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 doc/usage/cmd/luks.rst |  29 ++++++++++
 drivers/block/Kconfig  |   1 +
 drivers/block/luks.c   |  23 ++++++++
 test/boot/luks.c       | 118 ++++++++++++++++++++++++++++++++++++++---
 4 files changed, 165 insertions(+), 6 deletions(-)

diff --git a/doc/usage/cmd/luks.rst b/doc/usage/cmd/luks.rst
index b88fcd96439..c3b03eeff2e 100644
--- a/doc/usage/cmd/luks.rst
+++ b/doc/usage/cmd/luks.rst
@@ -106,6 +106,35 @@ Display LUKS header information for a LUKS2 partition::
     Label:
     Checksum alg:   sha256
 
+    JSON metadata (12288 bytes):
+    {
+      "keyslots": {
+        "0": {
+          "type": "luks2",
+          "key_size": 64,
+          "kdf": {
+            "type": "argon2id",
+            "time": 6,
+            "memory": 1048576,
+            "cpus": 4,
+            ...
+          },
+          ...
+        }
+      },
+      "tokens": {},
+      "segments": {
+        "0": {
+          "type": "crypt",
+          "offset": "16777216",
+          "encryption": "aes-xts-plain64",
+          ...
+        }
+      },
+      "digests": { ... },
+      "config": { ... }
+    }
+
 Display LUKS header information for a LUKS1 partition::
 
     => luks info mmc 1:1
diff --git a/drivers/block/Kconfig b/drivers/block/Kconfig
index b07012ec7c9..34cd2ee8e59 100644
--- a/drivers/block/Kconfig
+++ b/drivers/block/Kconfig
@@ -278,6 +278,7 @@ config BLK_LUKS
 	select SHA256
 	select PBKDF2
 	select PKCS5_MBEDTLS if MBEDTLS_LIB_CRYPTO
+	select JSON
 	help
 	  This provides support for detecting and decrypting LUKS (Linux Unified
 	  Key Setup) encrypted partitions. LUKS is a disk encryption specification
diff --git a/drivers/block/luks.c b/drivers/block/luks.c
index 597359b98ff..c43cb9a3dd3 100644
--- a/drivers/block/luks.c
+++ b/drivers/block/luks.c
@@ -8,6 +8,7 @@
 #include <blk.h>
 #include <dm.h>
 #include <hexdump.h>
+#include <json.h>
 #include <log.h>
 #include <luks.h>
 #include <memalign.h>
@@ -103,6 +104,28 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo)
 		printf("UUID:           %.40s\n", luks2_hdr->uuid);
 		printf("Label:          %.48s\n", luks2_hdr->label);
 		printf("Checksum alg:   %.32s\n", luks2_hdr->csum_alg);
+
+		if (IS_ENABLED(CONFIG_JSON)) {
+			u64 json_size;
+			char *json_start;
+			int blocks;
+
+			/* Read the full header to get JSON area */
+			blocks = (hdr_size + desc->blksz - 1) / desc->blksz;
+			ALLOC_CACHE_ALIGN_BUFFER(unsigned char, full_hdr, blocks * desc->blksz);
+
+			if (blk_read(blk, pinfo->start, blocks, full_hdr) != blocks) {
+				printf("Error: failed to read full LUKS2 header\n");
+				return -EIO;
+			}
+
+			/* JSON starts after the 4096-byte binary header */
+			json_start = (char *)(full_hdr + 4096);
+			json_size = hdr_size - 4096;
+
+			printf("\nJSON metadata (%llx bytes):\n", json_size);
+			json_print_pretty(json_start, (int)json_size);
+		}
 	} else {
 		printf("Unknown LUKS version\n");
 		return -EPROTONOSUPPORT;
diff --git a/test/boot/luks.c b/test/boot/luks.c
index fadd3819ffe..70ee0fb0824 100644
--- a/test/boot/luks.c
+++ b/test/boot/luks.c
@@ -20,19 +20,49 @@
 
 DECLARE_GLOBAL_DATA_PTR;
 
-/* Common function to setup mmc11 device */
-static int setup_mmc11(struct unit_test_state *uts, struct udevice **mmcp)
+/**
+ * setup_mmc_device() - Set up an MMC device for testing
+ *
+ * This function binds and probes an MMC device specified by its device tree
+ * node name. It is used to prepare MMC devices containing test disk images
+ * with various configurations (e.g., LUKS1, LUKS2 encryption).
+ *
+ * @uts: Unit test state
+ * @node_name: Name of the device tree node (e.g., "mmc11", "mmc12")
+ * @mmcp: Returns pointer to the MMC device
+ * Return: 0 if OK, -ve on error
+ */
+static int setup_mmc_device(struct unit_test_state *uts, const char *node_name,
+			    struct udevice **mmcp)
 {
+	struct udevice *mmc;
 	ofnode root, node;
 
-	/* Enable the mmc11 node */
+	/* Enable the specified mmc node */
 	root = oftree_root(oftree_default());
-	node = ofnode_find_subnode(root, "mmc11");
+	node = ofnode_find_subnode(root, node_name);
 	ut_assert(ofnode_valid(node));
-	ut_assertok(lists_bind_fdt(gd->dm_root, node, mmcp, NULL, false));
+	ut_assertok(lists_bind_fdt(gd->dm_root, node, &mmc, NULL, false));
 
 	/* Probe the device */
-	ut_assertok(device_probe(*mmcp));
+	ut_assertok(device_probe(mmc));
+	*mmcp = mmc;
+
+	return 0;
+}
+
+/* Setup mmc11 device */
+static int setup_mmc11(struct unit_test_state *uts, struct udevice **mmcp)
+{
+	ut_assertok(setup_mmc_device(uts, "mmc11", mmcp));
+
+	return 0;
+}
+
+/* Setup mmc12 device */
+static int setup_mmc12(struct unit_test_state *uts, struct udevice **mmcp)
+{
+	ut_assertok(setup_mmc_device(uts, "mmc12", mmcp));
 
 	return 0;
 }
@@ -107,3 +137,79 @@ static int bootstd_test_luks_info(struct unit_test_state *uts)
 	return 0;
 }
 BOOTSTD_TEST(bootstd_test_luks_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKSv2 detection on mmc12 partitions */
+static int bootstd_test_luks2_detect(struct unit_test_state *uts)
+{
+	struct disk_partition info;
+	struct blk_desc *desc;
+	struct udevice *mmc;
+	int ret;
+
+	ut_assertok(setup_mmc12(uts, &mmc));
+	desc = blk_get_by_device(mmc);
+	ut_assertnonnull(desc);
+	ut_assertnonnull(desc->bdev);
+
+	/* Check partition 1 - should NOT be LUKS */
+	ut_assertok(part_get_info(desc, 1, &info));
+	ret = luks_detect(desc->bdev, &info);
+	ut_assert(ret < 0);  /* Should fail - not LUKS */
+
+	/* Check partition 2 - should BE LUKS */
+	ut_assertok(part_get_info(desc, 2, &info));
+	ut_assertok(luks_detect(desc->bdev, &info));
+
+	/* Verify it's LUKS version 2 */
+	ut_asserteq(2, luks_get_version(desc->bdev, &info));
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks2_detect, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKSv2 command on mmc12 partitions */
+static int bootstd_test_luks2_cmd(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc12(uts, &mmc));
+
+	/* Test partition 1 - should NOT be LUKS */
+	ut_asserteq(1, run_command("luks detect mmc c:1", 0));
+	ut_assert_nextlinen("Not a LUKS partition (error -");
+	ut_assert_console_end();
+
+	/* Test partition 2 - should BE LUKS */
+	ut_assertok(run_command("luks detect mmc c:2", 0));
+	ut_assert_nextline("LUKS2 encrypted partition detected");
+	ut_assert_console_end();
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks2_cmd, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKSv2 info command on mmc12 partition 2 */
+static int bootstd_test_luks2_info(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc12(uts, &mmc));
+
+	/* Test partition 2 LUKS info */
+	ut_assertok(run_command("luks info mmc c:2", 0));
+	ut_assert_nextline("Version:        2");
+	ut_assert_nextlinen("Header size:");
+	ut_assert_nextlinen("Sequence ID:");
+	ut_assert_nextlinen("UUID:");
+	ut_assert_nextlinen("Label:");
+	ut_assert_nextlinen("Checksum alg:");
+
+	/* Verify JSON metadata section is present (skip empty line first) */
+	ut_assert_skip_to_line("");
+	ut_assert_nextlinen("JSON metadata (");
+	ut_assert_nextline("{");
+	/* JSON output varies and there is little value in checking it here */
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks2_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);

From patchwork Fri Oct 31 06:54:17 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 671
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893793;
	bh=n0ZuHMd7FN1q07x85cItxkgs8csjRVH0YFXyxiguiyw=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=HXE8KGNh9S0es0GV0InQPjN4zL9IOHv1i4IUkDu8Dr68Xz4v6nipljqVNlaHOpNPe
	 b4Lw6JHqL2mgqyvyd7dlztc18mxMrFEjLwltT4/j/6PF5GMmKw6IZ/oCj1mCq2m3Lu
	 ARM1Sj0eCuKYzPvtSm3mVsT+Og9kujL+Mr8WK7f13mn1/FYsteYHi2iAgod2rYJUQY
	 /VF7A94N9rrIW8S6SzYcpP95M4JCerRSpnQ6CuuuwW2zAEHq906KCYK1wawMJksyyr
	 uIJJ7JaPJSbUrHZA3lT1l+T8FMhMmL9/97lM1nydni40JTGYdaa1NkkpSOa5y2QV1f
	 JYVBWHCe4AKog==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4DDD068368
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:33 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id shzS3MnHv3SI for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:33 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893793;
	bh=n0ZuHMd7FN1q07x85cItxkgs8csjRVH0YFXyxiguiyw=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=HXE8KGNh9S0es0GV0InQPjN4zL9IOHv1i4IUkDu8Dr68Xz4v6nipljqVNlaHOpNPe
	 b4Lw6JHqL2mgqyvyd7dlztc18mxMrFEjLwltT4/j/6PF5GMmKw6IZ/oCj1mCq2m3Lu
	 ARM1Sj0eCuKYzPvtSm3mVsT+Og9kujL+Mr8WK7f13mn1/FYsteYHi2iAgod2rYJUQY
	 /VF7A94N9rrIW8S6SzYcpP95M4JCerRSpnQ6CuuuwW2zAEHq906KCYK1wawMJksyyr
	 uIJJ7JaPJSbUrHZA3lT1l+T8FMhMmL9/97lM1nydni40JTGYdaa1NkkpSOa5y2QV1f
	 JYVBWHCe4AKog==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 3D260682CD
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:33 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893791;
	bh=m1pthdJRWqoOLSAF9MAwUU/DagXXy44Uz2+25Fjg698=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=aC8acGlw07lraGo2zNTlKuZpj3vEXJFXoQNedOUJcAx129CSuWdYQlhpipjQkZh5V
	 WC2fGPBJnfk14sAya5jFB6MsEngLG+y5enEI7yXD5oJxPvWval76b4+/PAs2uOOqDy
	 lKGFZ6ziHU04gpxBWbOPVyAw2sv+3KcBoFvHahLvFwmrmCWmFG/JtmxgJjTyNfLi5U
	 V9KQuStmLplGciZhsXdAda3h4sjOKvge+WTUi4Y7FmImVDwdX9WiJyY0AGhXlGsQ39
	 2L2Bh07ek9q0JC2ZV2UyRk/AzIH3VCK2bM59jVBCF5MVpl0KDkB9rnv5p+MPdbzj3X
	 AIAImGDv67hww==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 1BB9E5FBA9;
	Fri, 31 Oct 2025 00:56:31 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id bs70CJGUIwZq; Fri, 31 Oct 2025 00:56:31 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893784;
	bh=Hv3MH9b6rjBP9Ts//ac1iSJq484Id4OOdUwNAUjU4ZI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=BXHIOnvTwTCZkjjLSCzJMFYtSG4tSFFWP1b98THNVvTl503YzsFogaJfl40hRxc83
	 Z5uNr4WymGHN4MgDVY7mQEzfm0dcp3xAAlb9Nb442ZruUEW/+EZsWNGqY8XtWCQ1tq
	 bWRHFqcdebKD0qkVSTD4AWD7EoRzeOnXx0SPBvhTAMtHdJGo05TKGf9u/g5RlrEudO
	 FoWBVY6GupeqssXdCBM1VTfgG8gXpUfu5isOYsIlfId6nszRlEHMYa3shwN1xA3o52
	 zJAooDpocN1o7Vwj4Nd6xvHZMQ0yY0PlVpmVANla/cHJmjFV1IP1DK68Wv7jZsha8H
	 35nseZ1WqS7Bg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id BCE65682CD;
	Fri, 31 Oct 2025 00:56:23 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:17 -0600
Message-ID: <20251031065439.3251464-22-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: 7NVFWFFWNOTWZUPCIQN6DBON7WBQNLBD
X-Message-ID-Hash: 7NVFWFFWNOTWZUPCIQN6DBON7WBQNLBD
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 21/24] luks: Enhance blkmap to support LUKSv1
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/7NVFWFFWNOTWZUPCIQN6DBON7WBQNLBD/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Enhance blkmap to support decrypting a partition encrypted with LUKS
version 1. This will allow filesystems to access files on the parition.

This will be tested once filesystems support is plumbed in.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 drivers/block/blkmap.c | 152 +++++++++++++++++++++++++++++++++++++++++
 include/blkmap.h       |  24 +++++++
 2 files changed, 176 insertions(+)

diff --git a/drivers/block/blkmap.c b/drivers/block/blkmap.c
index 34eed1380dc..13a79001979 100644
--- a/drivers/block/blkmap.c
+++ b/drivers/block/blkmap.c
@@ -9,10 +9,13 @@
 #include <dm.h>
 #include <malloc.h>
 #include <mapmem.h>
+#include <memalign.h>
 #include <part.h>
+#include <uboot_aes.h>
 #include <dm/device-internal.h>
 #include <dm/lists.h>
 #include <dm/root.h>
+#include <linux/string.h>
 
 struct blkmap;
 
@@ -290,6 +293,155 @@ int blkmap_map_pmem(struct udevice *dev, lbaint_t blknr, lbaint_t blkcnt,
 	return err;
 }
 
+/**
+ * struct blkmap_crypt - Encrypted device mapping
+ *
+ * @slice: Common map data
+ * @blk: Target encrypted block device
+ * @blknr: Start block number of encrypted data on target device
+ * @master_key: Decrypted master key for this mapping
+ * @key_size: Size of master key in bytes
+ * @payload_offset: LUKS payload offset in sectors
+ * @use_essiv: True if ESSIV mode is used for IV generation
+ * @essiv_key: ESSIV key (SHA256 hash of master key)
+ */
+struct blkmap_crypt {
+	struct blkmap_slice slice;
+	struct udevice *blk;
+	lbaint_t blknr;
+	u8 master_key[128];
+	u32 key_size;
+	u32 payload_offset;
+	bool use_essiv;
+	u8 essiv_key[32];
+};
+
+static ulong blkmap_crypt_read(struct blkmap *bm, struct blkmap_slice *bms,
+			       lbaint_t blknr, lbaint_t blkcnt, void *buffer)
+{
+	struct blkmap_crypt *bmc = container_of(bms, struct blkmap_crypt, slice);
+	struct blk_desc *bd = dev_get_uclass_plat(bm->blk);
+	struct blk_desc *src_bd = dev_get_uclass_plat(bmc->blk);
+	lbaint_t src_blknr, blocks_read;
+	u8 *encrypted_buf, *dest = buffer;
+	u8 expkey[AES256_EXPAND_KEY_LENGTH];
+	u8 iv[AES_BLOCK_LENGTH];
+	u64 sector;
+	lbaint_t i;
+
+	/* Allocate buffer for encrypted data */
+	encrypted_buf = malloc_cache_aligned(blkcnt * src_bd->blksz);
+	if (!encrypted_buf)
+		return 0;
+
+	/*
+	 * Calculate source block number (LUKS payload offset + requested
+	 * block)
+	 */
+	src_blknr = bmc->blknr + bmc->payload_offset + blknr;
+
+	/* Read encrypted data from underlying device */
+	blocks_read = blk_read(bmc->blk, src_blknr, blkcnt, encrypted_buf);
+	if (blocks_read != blkcnt) {
+		free(encrypted_buf);
+		return 0;
+	}
+
+	/* Expand AES key */
+	aes_expand_key(bmc->master_key, bmc->key_size * 8, expkey);
+
+	/* Decrypt each sector */
+	for (i = 0; i < blkcnt; i++) {
+		/* Calculate sector number for IV */
+		sector = blknr + i;
+
+		if (bmc->use_essiv) {
+			/*
+			 * ESSIV mode:
+			 * IV = AES_encrypt(sector_number, SHA256(master_key))
+			 */
+			u8 essiv_expkey[AES256_EXPAND_KEY_LENGTH];
+			u8 sector_iv[AES_BLOCK_LENGTH];
+
+			/* Create sector number as IV input (little-endian) */
+			memset(sector_iv, 0, sizeof(sector_iv));
+			*(u64 *)sector_iv = cpu_to_le64(sector);
+
+			/* Expand ESSIV key */
+			aes_expand_key(bmc->essiv_key, 256, essiv_expkey);
+
+			/* Encrypt sector number with ESSIV key to get IV */
+			aes_encrypt(256, sector_iv, essiv_expkey, iv);
+		} else {
+			/*
+			 * Plain64 mode:
+			 * IV is sector number in little-endian format
+			 */
+			memset(iv, '\0', sizeof(iv));
+			*(u64 *)iv = cpu_to_le64(sector);
+		}
+
+		/* Decrypt sector using AES-CBC */
+		aes_cbc_decrypt_blocks(bmc->key_size * 8, expkey, iv,
+				       encrypted_buf + i * bd->blksz,
+				       dest + i * bd->blksz,
+				       bd->blksz / AES_BLOCK_LENGTH);
+	}
+	free(encrypted_buf);
+
+	return blkcnt;
+}
+
+static void blkmap_crypt_destroy(struct blkmap *bm, struct blkmap_slice *bms)
+{
+	struct blkmap_crypt *bmc = container_of(bms, struct blkmap_crypt, slice);
+
+	/* Securely wipe master key before freeing */
+	memset(bmc->master_key, 0, sizeof(bmc->master_key));
+	free(bmc);
+}
+
+int blkmap_map_crypt(struct udevice *dev, lbaint_t blknr, lbaint_t blkcnt,
+		     struct udevice *lblk, lbaint_t lblknr,
+		     const u8 *master_key, u32 key_size, u32 payload_offset,
+		     bool use_essiv, const u8 *essiv_key)
+{
+	struct blkmap *bm = dev_get_plat(dev);
+	struct blkmap_crypt *bmc;
+	int err;
+
+	if (key_size > 128)
+		return -EINVAL;
+
+	bmc = malloc(sizeof(*bmc));
+	if (!bmc)
+		return -ENOMEM;
+
+	bmc->blk = lblk;
+	bmc->blknr = lblknr;
+	bmc->key_size = key_size;
+	bmc->payload_offset = payload_offset;
+	bmc->use_essiv = use_essiv;
+	memcpy(bmc->master_key, master_key, key_size);
+
+	if (use_essiv && essiv_key)
+		memcpy(bmc->essiv_key, essiv_key, sizeof(bmc->essiv_key));
+	else
+		memset(bmc->essiv_key, 0, sizeof(bmc->essiv_key));
+
+	bmc->slice.blknr = blknr;
+	bmc->slice.blkcnt = blkcnt;
+	bmc->slice.read = blkmap_crypt_read;
+	bmc->slice.write = NULL;  /* Read-only for now */
+	bmc->slice.destroy = blkmap_crypt_destroy;
+
+	err = blkmap_slice_add(bm, &bmc->slice);
+	if (err)
+		free(bmc);
+
+	return err;
+}
+
 static ulong blkmap_blk_read_slice(struct blkmap *bm, struct blkmap_slice *bms,
 				   lbaint_t blknr, lbaint_t blkcnt,
 				   void *buffer)
diff --git a/include/blkmap.h b/include/blkmap.h
index d53095437fa..a0f46748b92 100644
--- a/include/blkmap.h
+++ b/include/blkmap.h
@@ -65,6 +65,30 @@ int blkmap_map_mem(struct udevice *dev, lbaint_t blknr, lbaint_t blkcnt,
 int blkmap_map_pmem(struct udevice *dev, lbaint_t blknr, lbaint_t blkcnt,
 		    phys_addr_t paddr);
 
+/**
+ * blkmap_map_crypt() - Map region of encrypted device
+ *
+ * Creates a mapping that performs on-the-fly decryption of the specified
+ * region from another block device. Suitable for LUKS and other encrypted
+ * block devices.
+ *
+ * @dev: Blkmap to create the mapping on
+ * @blknr: Start block number of the mapping
+ * @blkcnt: Number of blocks to map
+ * @lblk: The target block device containing encrypted data
+ * @lblknr: The start block number of the encrypted partition
+ * @master_key: Decrypted master key for decryption
+ * @key_size: Size of the master key in bytes (must be <= 128)
+ * @payload_offset: Offset in sectors from lblknr to actual encrypted payload
+ * @use_essiv: True to use ESSIV mode, false for plain64 mode
+ * @essiv_key: ESSIV key (SHA256 of master key), or NULL if use_essiv is false
+ * Returns: 0 on success, negative error code on failure
+ */
+int blkmap_map_crypt(struct udevice *dev, lbaint_t blknr, lbaint_t blkcnt,
+		     struct udevice *lblk, lbaint_t lblknr,
+		     const u8 *master_key, u32 key_size, u32 payload_offset,
+		     bool use_essiv, const u8 *essiv_key);
+
 /**
  * blkmap_from_label() - Find blkmap from label
  *

From patchwork Fri Oct 31 06:54:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 672
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893795;
	bh=96DNJDudW/J2yVG0vw/yo+peKBTLMVjDhR2cUs164OM=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=wa9Fa8gJJZ/xS04sAlWNqOPcwPyqJ0u4c8+x5V++A/X3doxqBGVKNWBST2nnKUgvS
	 kbJcSw1WNhSzArqXhUSm27TjKfnvcwtZjvmEfgaEkNY5GCQtQ0BMz3Lc9iXsmK/PIZ
	 ceVf9gmdoL5MVRhC0g00imzjgYJYjWNoIH58Q0jhINsc+e5hkw4+OxEcnEsd297mm6
	 LpiAyvVfZO6nTY5lWeiWBdJgEe5fzcRByNJnfXIYPeajicbSRodonwXbduQAKdFMzj
	 BLG4CSEOBjdJMwkR1uGdgGBgxymXgOFMoZ07NQ0jrva3dfDYOIX2boYlLdI7byiZG4
	 fciawUBrluNcA==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 9F53D68397
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:35 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id kuIQcUzHeN1z for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:35 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893794;
	bh=96DNJDudW/J2yVG0vw/yo+peKBTLMVjDhR2cUs164OM=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=k+RyWwUPqgmngwE2kKFaWqAWuZGYhe2tHL2QuHmgnari6tx705A9gtzMhY/yEyooi
	 uwjki1ILJYAf7dIjOH08/8tt0j+2my9GfInIie4qR9TC/6MMaGJDJkbr6qO0Jh81it
	 X9Hq2rnXAPguiXe44oQRR+qHb+VlXbeousfvHKfWUM8NBdctAuM2NEBOzzGHyVpsoY
	 ob05aT3Kv1FpBENzD+DlK/Q9NZdgXRFew7URuKhXRkMOHYEzb5jY9zoPop1Fxzu/2H
	 +/7LZI/jnzM3ht2O8V4VxzdRpkWkBzp2Zg9uyZM8n5tndqPKSklQKvMA8yrQv4LAtS
	 tntGAlhGOE5oA==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 0EDDB68368
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:34 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893791;
	bh=iq77RARe8d66EDLOqk0ZkOWKSLd3D93dFnTih6Ei4H8=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=WajSyMKbsCC7KExduiPEVrEIce5XF6iYfQgXNcDd6WhKRewUqWyTlukrOZlNO0RCv
	 Bxbzg+yMHPZ58KwWdz0Xbr2UeG23lDEkqA+g/aLNhtwXlpxxLsYv18/iDzdX+LGuRx
	 dHo8RUwsJf8fxE9NoEtLia/4KXdFpPXqRf8+2GxFypA32GyGcEHFZQPTmCrp34iZjR
	 Cf8lUxxxXXxgSmuP+KzY7ta0WIV6TNBtFbT8rWodC3GbIbQVBXVfvFZAzUShK+uFkq
	 MReaRLulsEPtjih2IXibjXHZf7xVhbecR7y55zd9/9PrCrNdkU1oQFgk4ZB7rIOMzZ
	 mgQCR6KXD1zHg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 1D38B68316;
	Fri, 31 Oct 2025 00:56:31 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id Wzq33bgUg8YL; Fri, 31 Oct 2025 00:56:31 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893788;
	bh=S0E9v5nOhJsv5iX2LAENJ8+4LRCnQZD9GCf1cMg3HGw=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Z4kN2qQHno3iwsdWQx+PVc7LUN4UZ3oeD1eFMa7UxsQvvCLcxjhoRY8cAMmdEe66e
	 KL04WxXQoM1frwyUBK10Z9lJnizveakoPP993J7CJq8RhkER86RMFkARIabLyQqFpB
	 yA2zTcikVAZbIqvCYWVCbRVUmo5TdoQqZrGLV7p3Z68GfC/ps50/uky5whdTukH0S/
	 sqL36nB2Uk3p+w0jJ/MZHNUplNSJwPo8IB1F/21kx2cZPkYv4q91SFw5vfqobws9ro
	 jqQRTZD8nyrVlR4g5kZ3juOF4m+XXx9t80YbBqeGlUN2v1JUYgBGxVtGcabbgX7Fgh
	 /SUPezuT23KFA==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 7FFE968368;
	Fri, 31 Oct 2025 00:56:28 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:18 -0600
Message-ID: <20251031065439.3251464-23-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: 7VIVX6Z2V2BURCT7SC3BMRVWCN3HUKOT
X-Message-ID-Hash: 7VIVX6Z2V2BURCT7SC3BMRVWCN3HUKOT
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 22/24] luks: Provide a way to unlock and map
 encrypted
 partitions
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/7VIVX6Z2V2BURCT7SC3BMRVWCN3HUKOT/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add the logic to unlock a partition and set up a blkmap for use with it.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 drivers/block/luks.c | 521 +++++++++++++++++++++++++++++++++++++++++++
 include/luks.h       |  35 +++
 2 files changed, 556 insertions(+)

diff --git a/drivers/block/luks.c b/drivers/block/luks.c
index c43cb9a3dd3..4400f1cfd84 100644
--- a/drivers/block/luks.c
+++ b/drivers/block/luks.c
@@ -6,7 +6,9 @@
  */
 
 #include <blk.h>
+#include <blkmap.h>
 #include <dm.h>
+#include <hash.h>
 #include <hexdump.h>
 #include <json.h>
 #include <log.h>
@@ -14,12 +16,15 @@
 #include <memalign.h>
 #include <part.h>
 #include <uboot_aes.h>
+#include <asm/unaligned.h>
 #include <linux/byteorder/generic.h>
 #include <linux/err.h>
 #include <linux/errno.h>
 #include <linux/string.h>
 #include <mbedtls/md.h>
 #include <mbedtls/pkcs5.h>
+#include <u-boot/sha256.h>
+#include <u-boot/sha512.h>
 
 int luks_get_version(struct udevice *blk, struct disk_partition *pinfo)
 {
@@ -133,3 +138,519 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo)
 
 	return 0;
 }
+
+/**
+ * af_hash() - Apply anti-forensic diffusion by hashing each block
+ *
+ * This applies the LUKS AF-hash diffusion function to a buffer. Each
+ * digest-sized chunk is replaced with H(counter || chunk), where H is
+ * the specified hash function.
+ *
+ * @algo:	Hash algorithm to use
+ * @key_size:	Size of the buffer to diffuse
+ * @block_buf:	Buffer to diffuse in-place
+ * Return:	0 on success, -ve on error
+ */
+static int af_hash(struct hash_algo *algo, size_t key_size, u8 *block_buf)
+{
+	uint hashcount, finallen, i, digest_size = algo->digest_size;
+	u8 input_buf[sizeof(u32) + HASH_MAX_DIGEST_SIZE];
+	u8 hash_buf[HASH_MAX_DIGEST_SIZE];
+
+	if (digest_size > HASH_MAX_DIGEST_SIZE)
+		return -EINVAL;
+
+	/* Calculate how many full digest blocks fit */
+	hashcount = key_size / digest_size;
+	finallen = key_size % digest_size;
+	if (finallen)
+		hashcount++;
+	else
+		finallen = digest_size;
+
+	/* Hash each chunk with a counter prefix */
+	for (i = 0; i < hashcount; i++) {
+		size_t chunk_size, input_len;
+		u32 iv = cpu_to_be32(i);
+
+		chunk_size = (i == hashcount - 1) ? finallen : digest_size;
+		input_len = sizeof(iv) + chunk_size;
+
+		/* Build input: counter || block_chunk */
+		memcpy(input_buf, &iv, sizeof(iv));
+		memcpy(input_buf + sizeof(iv),
+		       block_buf + (i * digest_size), chunk_size);
+
+		/* Hash: H(counter || block_chunk) */
+		algo->hash_func_ws(input_buf, input_len, hash_buf,
+				   algo->chunk_size);
+
+		/* Replace chunk with its hash */
+		memcpy(block_buf + (i * digest_size), hash_buf, chunk_size);
+	}
+
+	return 0;
+}
+
+/**
+ * af_merge() - Merge anti-forensic split key into original key
+ *
+ * This performs the LUKS AF-merge operation to recover the original key from its
+ * AF-split representation. The algorithm XORs all stripes together, applying
+ * diffusion between each stripe.
+ *
+ * @src:	AF-split key material (key_size * stripes bytes)
+ * @dst:	Output buffer for merged key (key_size bytes)
+ * @key_size:	Size of the original key
+ * @stripes:	Number of anti-forensic stripes
+ * @hash_spec:	Hash algorithm name (e.g., "sha256")
+ * Return:	0 on success, -ve on error
+ */
+static int af_merge(const u8 *src, u8 *dst, size_t key_size, uint stripes,
+		    const char *hash_spec)
+{
+	struct hash_algo *algo;
+	u8 block_buf[128];
+	int ret;
+	uint i;
+
+	/* Look up hash algorithm */
+	ret = hash_lookup_algo(hash_spec, &algo);
+	if (ret) {
+		log_debug("Unsupported hash algorithm: %s\n", hash_spec);
+		return -ENOTSUPP;
+	}
+
+	if (key_size > sizeof(block_buf))
+		return -E2BIG;
+
+	memset(block_buf, '\0', key_size);
+
+	/* Standard LUKS AF-merge algorithm */
+	for (i = 0; i < stripes - 1; i++) {
+		uint j;
+
+		/* XOR stripe into block_buf */
+		for (j = 0; j < key_size; j++)
+			block_buf[j] ^= src[i * key_size + j];
+
+		/* Diffuse by hashing */
+		ret = af_hash(algo, key_size, block_buf);
+		if (ret)
+			return ret;
+	}
+
+	/* Final XOR with last stripe */
+	for (i = 0; i < key_size; i++)
+		dst[i] = block_buf[i] ^ src[(stripes - 1) * key_size + i];
+
+	return 0;
+}
+
+/**
+ * try_keyslot() - Unlock a LUKS key slot with a passphrase
+ *
+ * @blk:		Block device
+ * @pinfo:		Partition information
+ * @hdr:		LUKS header
+ * @slot_idx:		Key slot index to try
+ * @passphrase:		Passphrase to try
+ * @md_type:		Hash algorithm type
+ * @key_size:		Size of the key
+ * @derived_key:	Buffer for derived key (key_size bytes)
+ * @km:			Buffer for encrypted key material
+ * @km_blocks:		Size of km buffer in blocks
+ * @split_key:		Buffer for AF-split key
+ * @candidate_key:	Buffer to receive decrypted master key
+ *
+ * Return: 0 on success (correct passphrase), -EPROTO on mbedtls error, -ve on
+ * other error
+ */
+/**
+ * essiv_decrypt() - Decrypt key material using ESSIV mode
+ *
+ * ESSIV (Encrypted Salt-Sector Initialization Vector) mode generates a unique
+ * IV for each sector by encrypting the sector number with a key derived from
+ * hashing the encryption key.
+ *
+ * @derived_key: Key derived from passphrase
+ * @key_size: Size of the encryption key in bytes
+ * @expkey: Expanded AES key for decryption
+ * @km: Encrypted key material buffer
+ * @split_key: Output buffer for decrypted key material
+ * @km_blocks: Number of blocks of key material
+ * @blksz: Block size in bytes
+ */
+static void essiv_decrypt(u8 *derived_key, uint key_size, u8 *expkey,
+			  u8 *km, u8 *split_key, uint km_blocks, uint blksz)
+{
+	u8 essiv_expkey[AES256_EXPAND_KEY_LENGTH];
+	u8 essiv_key_material[SHA256_SUM_LEN];
+	u8 iv[AES_BLOCK_LENGTH];
+	u32 num_sectors = km_blocks;
+	uint rel_sect;
+
+	/* Generate ESSIV key by hashing the encryption key */
+	log_debug("using ESSIV mode\n");
+	sha256_csum_wd(derived_key, key_size, essiv_key_material,
+		       CHUNKSZ_SHA256);
+
+	log_debug_hex("ESSIV key[0-7]:", essiv_key_material, 8);
+
+	/* Expand ESSIV key for AES */
+	aes_expand_key(essiv_key_material, 256, essiv_expkey);
+
+	/*
+	 * Decrypt each sector with its own IV
+	 * NOTE: sector number is relative to the key material buffer,
+	 * not an absolute disk sector
+	 */
+	for (rel_sect = 0; rel_sect < num_sectors; rel_sect++) {
+		u8 sector_iv[AES_BLOCK_LENGTH];
+
+		/*
+		 * Create IV: little-endian sector number padded to
+		 * 16 bytes
+		 */
+		memset(sector_iv, '\0', AES_BLOCK_LENGTH);
+		put_unaligned_le32(rel_sect, sector_iv);
+
+		/* Encrypt sector number with ESSIV key to get IV */
+		aes_encrypt(256, sector_iv, essiv_expkey, iv);
+
+		/* Show the first sector for debugging */
+		if (!rel_sect) {
+			log_debug("rel_sect %x, ", rel_sect);
+			log_debug_hex("IV[0-7]:", iv, 8);
+		}
+
+		/* Decrypt this sector */
+		aes_cbc_decrypt_blocks(key_size * 8, expkey, iv,
+				       km + (rel_sect * blksz),
+				       split_key + (rel_sect * blksz),
+				       blksz / AES_BLOCK_LENGTH);
+	}
+}
+
+static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
+		       struct luks1_phdr *hdr, int slot_idx,
+		       const char *passphrase, mbedtls_md_type_t md_type,
+		       uint key_size, u8 *derived_key, u8 *km, uint km_blocks,
+		       u8 *split_key, u8 *candidate_key)
+{
+	struct luks1_keyslot *slot = &hdr->key_slot[slot_idx];
+	uint iterations, km_offset, stripes, split_key_size;
+	struct blk_desc *desc = dev_get_uclass_plat(blk);
+	u8 expkey[AES256_EXPAND_KEY_LENGTH];
+	u8 key_digest[LUKS_DIGESTSIZE];
+	u8 iv[AES_BLOCK_LENGTH];
+	int ret;
+
+	/* Check if slot is active */
+	if (be32_to_cpu(slot->active) != LUKS_KEY_ENABLED)
+		return -ENOENT;
+
+	log_debug("trying key slot %d...\n", slot_idx);
+
+	iterations = be32_to_cpu(slot->iterations);
+	km_offset = be32_to_cpu(slot->key_material_offset);
+	stripes = be32_to_cpu(slot->stripes);
+	split_key_size = key_size * stripes;
+
+	/* Derive key from passphrase using PBKDF2 */
+	log_debug("PBKDF2(pass '%s'[len %zu], ", passphrase,
+		  strlen(passphrase));
+	log_debug_hex("salt[0-7]", (u8 *)slot->salt, 8);
+	log_debug("iter %u, keylen %u)\n", iterations, key_size);
+	ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, (const u8 *)passphrase,
+					    strlen(passphrase),
+					    (const u8 *)slot->salt,
+					    LUKS_SALTSIZE, iterations,
+					    key_size, derived_key);
+	if (ret) {
+		log_debug("PBKDF2 failed: %d\n", ret);
+		return -EPROTO;
+	}
+
+	log_debug_hex("derived_key[0-7]", derived_key, 8);
+
+	/* Read encrypted key material */
+	ret = blk_read(blk, pinfo->start + km_offset, km_blocks, km);
+	if (ret != km_blocks) {
+		log_debug("Failed to read key material\n");
+		return -EIO;
+	}
+
+	log_debug_hex("km[0-7]", km, 8);
+
+	/* Decrypt key material using derived key */
+	log_debug("expand key with key_size*8 %u bits\n", key_size * 8);
+	log_debug_hex("input key (derived_key) full:", derived_key, key_size);
+
+	aes_expand_key(derived_key, key_size * 8, expkey);
+
+	log_debug_hex("expanded key [0-15]:", expkey, 16);
+
+	/* Decrypt with CBC mode: first check if ESSIV is used */
+	if (strstr(hdr->cipher_mode, "essiv")) {
+		essiv_decrypt(derived_key, key_size, expkey, km, split_key,
+			      km_blocks, desc->blksz);
+	} else {
+		/* Plain CBC with zero IV */
+		memset(iv, '\0', sizeof(iv));
+		log_debug("using plain CBC with zero IV\n");
+		log_debug("decrypting %u blocks\n",
+			  split_key_size / AES_BLOCK_LENGTH);
+		aes_cbc_decrypt_blocks(key_size * 8, expkey, iv, km, split_key,
+				       split_key_size / AES_BLOCK_LENGTH);
+	}
+
+	log_debug_hex("split_key[0-7]", split_key, 8);
+
+	/* Merge AF-split key */
+	ret = af_merge(split_key, candidate_key, key_size, stripes,
+		       hdr->hash_spec);
+	if (ret) {
+		log_debug("af_merge() failed\n");
+		return ret;
+	}
+
+	log_debug_hex("candidate_key[0-7]", candidate_key, 8);
+
+	/* Verify master key by checking its digest */
+	ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, candidate_key, key_size,
+					    (const u8 *)hdr->mk_digest_salt,
+					    LUKS_SALTSIZE,
+					    be32_to_cpu(hdr->mk_digest_iter),
+					    LUKS_DIGESTSIZE, key_digest);
+	if (ret) {
+		log_debug("Master key digest derivation failed\n");
+		return EPROTO;
+	}
+
+	log_debug_hex("key_digest[0-7]", key_digest, 8);
+	log_debug_hex("mk_digest[0-7]", (u8 *)hdr->mk_digest, 8);
+
+	/* Check if the digest matches */
+	if (memcmp(key_digest, hdr->mk_digest, LUKS_DIGESTSIZE) == 0) {
+		log_debug("Uunlocked with key slot %d\n", slot_idx);
+		return 0;
+	}
+	log_debug("key slot %d: wrong passphrase\n", slot_idx);
+
+	return -EACCES;
+}
+
+int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
+		const char *passphrase, u8 *master_key, u32 *key_size)
+{
+	uint version, split_key_size, km_blocks, hdr_blocks;
+	struct hash_algo *hash_algo;
+	mbedtls_md_type_t md_type;
+	struct luks1_phdr *hdr;
+	struct blk_desc *desc;
+	u8 candidate_key[128];
+	u8 *split_key = NULL;
+	u8 *derived_key = NULL;
+	u8 *km = NULL;
+	int i, ret = -EINVAL;
+
+	if (!blk || !pinfo || !passphrase || !master_key || !key_size)
+		return -EINVAL;
+
+	desc = dev_get_uclass_plat(blk);
+
+	/* LUKS1 header is 592 bytes, calculate blocks needed */
+	hdr_blocks = (sizeof(struct luks1_phdr) + desc->blksz - 1) /
+			desc->blksz;
+
+	/* Allocate buffer for LUKS header */
+	ALLOC_CACHE_ALIGN_BUFFER(u8, buffer, hdr_blocks * desc->blksz);
+
+	/* Read LUKS header */
+	if (blk_read(blk, pinfo->start, hdr_blocks, buffer) != hdr_blocks) {
+		log_debug("failed to read LUKS header\n");
+		return -EIO;
+	}
+
+	/* Verify it's LUKS */
+	if (memcmp(buffer, LUKS_MAGIC, LUKS_MAGIC_LEN) != 0) {
+		log_debug("not a LUKS partition\n");
+		return -ENOENT;
+	}
+
+	version = be16_to_cpu(*(__be16 *)(buffer + LUKS_MAGIC_LEN));
+	if (version != LUKS_VERSION_1) {
+		log_debug("only LUKS1 decryption is currently supported\n");
+		return -ENOTSUPP;
+	}
+
+	hdr = (struct luks1_phdr *)buffer;
+
+	/* Debug: show what we read from header */
+	log_debug("Read header at sector %llu, mk_digest[0-7] ", (unsigned long long)pinfo->start);
+	log_debug_hex("", (u8 *)hdr->mk_digest, 8);
+
+	/* Verify cipher mode - only CBC supported */
+	if (strncmp(hdr->cipher_mode, "cbc", 3) != 0) {
+		log_debug("only CBC mode is currently supported (got: %.32s)\n",
+			  hdr->cipher_mode);
+		return -ENOTSUPP;
+	}
+
+	/* Look up hash algorithm */
+	ret = hash_lookup_algo(hdr->hash_spec, &hash_algo);
+	if (ret) {
+		log_debug("unsupported hash: %.32s\n", hdr->hash_spec);
+		return -ENOTSUPP;
+	}
+
+	md_type = hash_mbedtls_type(hash_algo);
+
+	*key_size = be32_to_cpu(hdr->key_bytes);
+
+	/* Find the first active slot to get the stripes value */
+	u32 stripes = 0;
+	for (i = 0; i < LUKS_NUMKEYS; i++) {
+		if (be32_to_cpu(hdr->key_slot[i].active) == LUKS_KEY_ENABLED) {
+			stripes = be32_to_cpu(hdr->key_slot[i].stripes);
+			break;
+		}
+	}
+	if (stripes == 0) {
+		log_debug("no active key slots found\n");
+		return -ENOENT;
+	}
+
+	split_key_size = *key_size * stripes;
+
+	log_debug("Trying to unlock LUKS partition: key size: %u bytes\n",
+		  *key_size);
+
+	/* Allocate buffers */
+	derived_key = malloc(*key_size);
+	split_key = malloc(split_key_size);
+	km_blocks = (split_key_size + desc->blksz - 1) / desc->blksz;
+	km = malloc_cache_aligned(km_blocks * desc->blksz);
+
+	if (!derived_key || !split_key || !km) {
+		ret = -ENOMEM;
+		goto out;
+	}
+
+	/* Try each key slot */
+	for (i = 0; i < LUKS_NUMKEYS; i++) {
+		ret = try_keyslot(blk, pinfo, hdr, i, passphrase, md_type,
+				  *key_size, derived_key, km, km_blocks,
+				  split_key, candidate_key);
+
+		if (!ret) {
+			/* Successfully unlocked */
+			memcpy(master_key, candidate_key, *key_size);
+			goto out;
+		}
+		/* Continue trying other slots on failure */
+	}
+
+	log_debug("Failed to unlock: wrong passphrase or no active key slots\n");
+	ret = -EACCES;
+
+out:
+	if (derived_key) {
+		memset(derived_key, '\0', *key_size);
+		free(derived_key);
+	}
+	if (split_key) {
+		memset(split_key, '\0', split_key_size);
+		free(split_key);
+	}
+	if (km) {
+		memset(km, '\0', km_blocks * desc->blksz);
+		free(km);
+	}
+	memset(candidate_key, '\0', sizeof(candidate_key));
+
+	return ret;
+}
+
+/**
+ * luks_create_blkmap() - Create a blkmap device for a LUKS partition
+ *
+ * This creates and configures a blkmap device to provide access to the
+ * decrypted contents of a LUKS partition. The master key must already be
+ * unlocked using luks_unlock().
+ *
+ * @blk:	Block device containing the LUKS partition
+ * @pinfo:	Partition information
+ * @master_key:	Unlocked master key
+ * @key_size:	Size of the master key in bytes
+ * @label:	Label for the blkmap device
+ * @blkmap_dev:	Output pointer for created blkmap device
+ * Return:	0 on success, -ve on error
+ */
+int luks_create_blkmap(struct udevice *blk, struct disk_partition *pinfo,
+		       const u8 *master_key, u32 key_size, const char *label,
+		       struct udevice **blkmap_dev)
+{
+	u8 essiv_key[SHA256_SUM_LEN];  /* SHA-256 output */
+	struct luks1_phdr *hdr;
+	struct blk_desc *desc;
+	struct udevice *dev;
+	uint payload_offset;
+	bool use_essiv;
+	int ret;
+
+	if (!blk || !pinfo || !master_key || !label || !blkmap_dev)
+		return -EINVAL;
+
+	desc = dev_get_uclass_plat(blk);
+
+	/* Read LUKS header to get payload offset and cipher mode */
+	ALLOC_CACHE_ALIGN_BUFFER(u8, buf, desc->blksz);
+	if (blk_read(blk, pinfo->start, 1, buf) != 1) {
+		log_debug("failed to read LUKS header\n");
+		return -EIO;
+	}
+	hdr = (struct luks1_phdr *)buf;
+
+	/* Create blkmap device */
+	ret = blkmap_create(label, &dev);
+	if (ret) {
+		log_debug("failed to create blkmap device\n");
+		return ret;
+	}
+
+	/* Check if ESSIV mode is used */
+	use_essiv = strstr(hdr->cipher_mode, "essiv");
+
+	if (use_essiv) {
+		int hash_size = SHA256_SUM_LEN;
+
+		if (hash_block("sha256", master_key, key_size, essiv_key,
+			       &hash_size)) {
+			log_debug("SHA256 hash algorithm not available\n");
+			blkmap_destroy(dev);
+			return -ENOTSUPP;
+		}
+	}
+
+	/* Map the encrypted partition to the blkmap device */
+	payload_offset = be32_to_cpu(hdr->payload_offset);
+	log_debug("mapping blkmap: blknr 0 blkcnt %lx payload_offset %x essiv %d\n",
+		  (ulong)pinfo->size, payload_offset, use_essiv);
+	ret = blkmap_map_crypt(dev, 0, pinfo->size, blk, pinfo->start,
+			       master_key, key_size, payload_offset,
+			       use_essiv, use_essiv ? essiv_key : NULL);
+	if (ret) {
+		log_debug("failed to map encrypted partition\n");
+		blkmap_destroy(dev);
+		return ret;
+	}
+
+	/* Wipe ESSIV key from stack */
+	if (use_essiv)
+		memset(essiv_key, '\0', sizeof(essiv_key));
+	*blkmap_dev = dev;
+
+	return 0;
+}
diff --git a/include/luks.h b/include/luks.h
index ea6dd510c53..f8fda27e132 100644
--- a/include/luks.h
+++ b/include/luks.h
@@ -137,4 +137,39 @@ int luks_get_version(struct udevice *blk, struct disk_partition *pinfo);
  */
 int luks_show_info(struct udevice *blk, struct disk_partition *pinfo);
 
+/**
+ * luks_unlock() - Unlock a LUKS partition with a passphrase
+ *
+ * This attempts to decrypt the master key using the provided passphrase.
+ * Currently only supports LUKS1 with PBKDF2 and AES-CBC.
+ *
+ * @blk:	Block device
+ * @pinfo:	Partition information
+ * @passphrase:	Passphrase to unlock the partition
+ * @master_key:	Buffer to receive the decrypted master key
+ * @key_size:	Size of the master_key buffer
+ * Return:	0 on success, -ve on error
+ */
+int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
+		const char *passphrase, u8 *master_key, u32 *key_size);
+
+/**
+ * luks_create_blkmap() - Create a blkmap device for a LUKS partition
+ *
+ * This creates and configures a blkmap device to provide access to the
+ * decrypted contents of a LUKS partition. The master key must already be
+ * unlocked using luks_unlock().
+ *
+ * @blk:	Block device containing the LUKS partition
+ * @pinfo:	Partition information
+ * @master_key:	Unlocked master key
+ * @key_size:	Size of the master key in bytes
+ * @label:	Label for the blkmap device
+ * @blkmap_dev:	Output pointer for created blkmap device
+ * Return:	0 on success, -ve on error
+ */
+int luks_create_blkmap(struct udevice *blk, struct disk_partition *pinfo,
+		       const u8 *master_key, u32 key_size, const char *label,
+		       struct udevice **blkmap_dev);
+
 #endif /* __LUKS_H__ */

From patchwork Fri Oct 31 06:54:19 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 673
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893797;
	bh=u31eW1lNMDLkXOw7Y92UJWKSXD16+dBeTbiE3iSC25c=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=kE8peyJzNfclMcEo2K8Z/g5J4orfY9828Ej1K/Otouu+0eS0W1+ddRT9d9M+JtglX
	 opCB02Ss3uTFC3tc07qBGHOV1RgVJLNLjpQY/yJFyn0DzgXUrGtmnVhgehaYGJyAOj
	 2d2RJbI0ZNxqzKluCwrmj5X8kvTJ51ggt5QySiKhqoWWcVAw14YBhN94FzWtJnuGmK
	 mOPeVyfdffQ+ZxMGdfSA5gDZqInsDOLWI55P0Z+bXplJzdRWmRLa1nzEa+p+Vw2m0q
	 WxFLYL28oiWzhwojUgtk/V7l9bMiPDYa6yK5mS/bLDHLoj+9JRi5WjqYLNe8XHaPTz
	 l7hzbxa/CF/iw==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DE3665FBA9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:37 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id f9YE864zxGQl for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:56:37 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893796;
	bh=u31eW1lNMDLkXOw7Y92UJWKSXD16+dBeTbiE3iSC25c=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=PP7+AA7fDjI4BJfeC+hDxxTBm31ASpwaFFB4PmM+QAIa0SN2/amXc2KkYvMm0+Ipb
	 yo72yY+q5tsAD64tvXaPRFCrUgl6H1ziwRSWy/OtQdXMpqSLYjyaa94zGbe5VBNt9P
	 fe5fYHKgxQACLUC95H7UUMh7n9+K3JjTAi7XYHEhE8HhTd43YhQKipLv1xxbrq5n7I
	 Gi2q/cLwXwFaaS5uGJwxAYiJBia4tTD0zlAK2H+dGTaZwjqYfCHQgE/YuO1esFAWXb
	 jL5r2bxRO+R1P2j+AFgq0SSIw91aWqBDnBXDL33LKlIxkA28ZDa6XLgx55bbjDtPQi
	 Gyi4EFg8M9OAw==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 73DE0682E9
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:56:36 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893795;
	bh=1aoD2XZGli+KmETGNDOrcaFDD+MZj0kM+deiRyGwODo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=SiYT6m6MqETPhWnMAzzr4oxe3AsdCFBIuS6CcEwqoJquVYDAearKGxuh6dipUyzrd
	 TAEVv2bPqIaaHcUh3nhrYe5I0vtdRjZQ4s4GjJafIhr/4J6Gz1EIMPC1R4kUACKCGd
	 M4b6ZpBZMP2ALYUn6wLVW8K0RvKD/w4ymSmpO3Y9Ji64hAttapxwKcs6lcAaKqDol2
	 u1m+lvrTTN4dEgkaOAL/WoYgOxI7Rvr6E6K9qq5Eg26CQv0qqRi/rSnoGHunv8Xwkc
	 PmQQ0u42TNe29QxPgNo7E0eHZCyoUomSEczMjMvOp+pKXuveBcGdWDiuSOgoYfgdYa
	 SOtlSGrAxX8Yg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 8DD3F5FBA9;
	Fri, 31 Oct 2025 00:56:35 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id czVi9ayI8b3f; Fri, 31 Oct 2025 00:56:35 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893790;
	bh=bpOzNwnuhD1VxMa4AtvC8LwGGwRXKoXqZNyz1o1xTag=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=k523nJbDDLAEnW9wfm3FFvWeryWJQiP8s4eTj06h119cTsdPXxO4ab39AGR/AVtnp
	 EHtiDh+QrfSKChznLL+8hGK1rOa0NpAu0nYgJUUKnJQzJ7gkY5hxwdiP/ShBBgDfyh
	 ylN0N52qqhJcwELzy2v9KQ44OAaDbrBbzvDC98q27r6OzdjuB9je094gkUWhGR3kGL
	 5vh2USDm3/GbJ6YEBtagk6Rw9ebmxQWQ7on0umEx+NfaxcvuLtLWwAdIzw9GssTNEp
	 375y+r1azLqbsTErZcDit9dzxMgVQDYZ/a+VPnVY9kb5iMntFsLhT1WcKjxd7r/pHD
	 VZSl9nYxtpiOg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id BCE96682E9;
	Fri, 31 Oct 2025 00:56:29 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:19 -0600
Message-ID: <20251031065439.3251464-24-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: UBZ6OAHW4ZSZ7AIUBKK3NNI3BKHZL47P
X-Message-ID-Hash: UBZ6OAHW4ZSZ7AIUBKK3NNI3BKHZL47P
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 23/24] luks: Add a subcommand to unlock an encrypted
 partition
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/UBZ6OAHW4ZSZ7AIUBKK3NNI3BKHZL47P/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Provide a new 'luks unlock' command which can unlock a LUKS1 partition,
given a passphrase.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 cmd/luks.c             | 70 ++++++++++++++++++++++++++++++++-
 doc/usage/cmd/luks.rst | 87 +++++++++++++++++++++++++++++++++++++++++-
 test/boot/luks.c       | 26 +++++++++++++
 3 files changed, 180 insertions(+), 3 deletions(-)

diff --git a/cmd/luks.c b/cmd/luks.c
index 04ddcdb1d46..19f909be96b 100644
--- a/cmd/luks.c
+++ b/cmd/luks.c
@@ -57,11 +57,77 @@ static int do_luks_info(struct cmd_tbl *cmdtp, int flag, int argc,
 	return CMD_RET_SUCCESS;
 }
 
+static int do_luks_unlock(struct cmd_tbl *cmdtp, int flag, int argc,
+			  char *const argv[])
+{
+	struct blk_desc *dev_desc;
+	struct disk_partition info;
+	struct udevice *blkmap_dev;
+	const char *passphrase;
+	int part, ret, version;
+	u8 master_key[128];
+	char label[64];
+	u32 key_size;
+
+	if (argc != 4)
+		return CMD_RET_USAGE;
+
+	part = blk_get_device_part_str(argv[1], argv[2], &dev_desc, &info, 1);
+	if (part < 0)
+		return CMD_RET_FAILURE;
+
+	passphrase = argv[3];
+
+	/* Verify it's a LUKS partition */
+	version = luks_get_version(dev_desc->bdev, &info);
+	if (version < 0) {
+		printf("Not a LUKS partition\n");
+		return CMD_RET_FAILURE;
+	}
+
+	if (version != LUKS_VERSION_1) {
+		printf("Only LUKS1 is currently supported\n");
+		return CMD_RET_FAILURE;
+	}
+
+	/* Unlock the partition to get the master key */
+	ret = luks_unlock(dev_desc->bdev, &info, passphrase, master_key,
+			  &key_size);
+	if (ret) {
+		printf("Failed to unlock LUKS partition (err %dE)\n", ret);
+		return CMD_RET_FAILURE;
+	}
+
+	/* Create blkmap device with label based on source device */
+	snprintf(label, sizeof(label), "luks-%s-%s", argv[1], argv[2]);
+
+	/* Create and map the blkmap device */
+	ret = luks_create_blkmap(dev_desc->bdev, &info, master_key, key_size,
+				 label, &blkmap_dev);
+	if (ret) {
+		printf("Failed to create blkmap device (err %dE)\n", ret);
+		ret = CMD_RET_FAILURE;
+		goto cleanup;
+	}
+
+	printf("Unlocked LUKS partition as blkmap device '%s'\n", label);
+
+	ret = CMD_RET_SUCCESS;
+
+cleanup:
+	/* Wipe master key from stack */
+	memset(master_key, '\0', sizeof(master_key));
+
+	return ret;
+}
+
 static char luks_help_text[] =
 	"detect <interface> <dev[:part]> - detect if partition is LUKS encrypted\n"
-	"luks info <interface> <dev[:part]> - show LUKS header information";
+	"luks info <interface> <dev[:part]> - show LUKS header information\n"
+	"luks unlock <interface> <dev[:part]> <passphrase> - unlock LUKS partition\n";
 
 U_BOOT_CMD_WITH_SUBCMDS(luks, "LUKS (Linux Unified Key Setup) operations",
 			luks_help_text,
 	U_BOOT_SUBCMD_MKENT(detect, 3, 1, do_luks_detect),
-	U_BOOT_SUBCMD_MKENT(info, 3, 1, do_luks_info));
+	U_BOOT_SUBCMD_MKENT(info, 3, 1, do_luks_info),
+	U_BOOT_SUBCMD_MKENT(unlock, 4, 1, do_luks_unlock));
diff --git a/doc/usage/cmd/luks.rst b/doc/usage/cmd/luks.rst
index c3b03eeff2e..8dbcb8549c7 100644
--- a/doc/usage/cmd/luks.rst
+++ b/doc/usage/cmd/luks.rst
@@ -13,11 +13,12 @@ Synopsis
 
     luks detect <interface> <dev[:part]>
     luks info <interface> <dev[:part]>
+    luks unlock <interface> <dev[:part]> <passphrase>
 
 Description
 -----------
 
-The *luks* command provides an interface to detect and inspect LUKS
+The *luks* command provides an interface to detect, inspect, and unlock LUKS
 (Linux Unified Key Setup) encrypted partitions. LUKS is a disk encryption
 specification used for full disk encryption on Linux systems.
 
@@ -25,6 +26,7 @@ This command supports:
 
 * Detection of LUKS encrypted partitions (LUKS1 and LUKS2)
 * Display of LUKS header information
+* Unlocking LUKS1 partitions with passphrase-based authentication
 * Access to decrypted data via blkmap devices
 
 The LUKS format uses a distinctive header containing:
@@ -83,6 +85,42 @@ dev[:part]
     The device number and optional partition number. If partition is omitted,
     defaults to the whole device.
 
+luks unlock
+~~~~~~~~~~~
+
+Unlock a LUKS1 encrypted partition using a passphrase. This command:
+
+1. Verifies the partition is LUKS1 encrypted
+2. Derives the encryption key using PBKDF2 with the provided passphrase
+3. Attempts to unlock each active key slot
+4. Verifies the master key against the stored digest
+5. Creates a blkmap device providing on-the-fly decryption
+
+After successful unlock, the decrypted data is accessible through a blkmap
+device (typically ``blkmap 0``). Standard U-Boot filesystem commands can then
+be used to access files on the unlocked partition.
+
+**Currently only LUKS1 is supported for unlocking. LUKS2 unlock is not yet
+implemented.**
+
+Supported cipher modes:
+
+* aes-cbc-essiv:sha256 (AES in CBC mode with ESSIV)
+
+interface
+    The storage interface type (e.g., mmc, usb, scsi)
+
+dev[:part]
+    The device number and optional partition number
+
+passphrase
+    The passphrase to unlock the LUKS partition. Note that the passphrase is
+    passed as a command-line argument and may be visible in command history.
+    Consider using environment variables to minimize exposure.
+
+The unlocked data remains accessible until U-Boot exits or the blkmap device
+is explicitly destroyed.
+
 Examples
 --------
 
@@ -145,6 +183,40 @@ Display LUKS header information for a LUKS1 partition::
     Payload offset: 4096 sectors
     Key bytes:      32
 
+Unlock a LUKS1 partition and access files::
+
+    => luks unlock mmc 0:2 mypassword
+    Trying to unlock LUKS partition...
+    Key size: 32 bytes
+    Trying key slot 0...
+    Successfully unlocked with key slot 0!
+    Unlocked LUKS partition as blkmap device 'luks-mmc-0:2'
+    Access decrypted data via: blkmap 0
+
+    => ls blkmap 0 /
+                ./
+                ../
+                lost+found/
+          221   README.md
+           17   hello.txt
+                subdir/
+           20   test.txt
+
+    3 file(s), 4 dir(s)
+
+    => cat blkmap 0 /hello.txt
+    Hello from LUKS!
+
+Unlock and load a kernel from encrypted partition::
+
+    => luks unlock mmc 0:2 ${rootfs_password}
+    Successfully unlocked with key slot 0!
+
+    => ext4load blkmap 0 ${kernel_addr_r} /boot/vmlinuz
+    5242880 bytes read in 123 ms (40.6 MiB/s)
+
+    => bootz ${kernel_addr_r} - ${fdt_addr_r}
+
 Configuration
 -------------
 
@@ -155,14 +227,27 @@ For LUKS detection and info commands::
     CONFIG_BLK_LUKS=y
     CONFIG_CMD_LUKS=y
 
+For LUKS unlock functionality, additional options are required::
+
+    CONFIG_BLK_LUKS=y
+    CONFIG_CMD_LUKS=y
+    CONFIG_BLKMAP=y      # For blkmap device support
+    CONFIG_AES=y         # For AES encryption
+    CONFIG_SHA256=y      # For SHA-256 hashing
+    CONFIG_PBKDF2=y      # For PBKDF2 key derivation
+
 Return value
 ------------
 
 For *detect* and *info*: The return value $? is 0 (true) on success, 1 (false)
 on failure.
 
+For *unlock*: The return value $? is 0 (true) if unlock succeeded, 1 (false)
+if unlock failed (wrong passphrase, unsupported format, etc.).
+
 See also
 --------
 
+* :doc:`blkmap` - Blkmap device documentation
 * cryptsetup project: https://gitlab.com/cryptsetup/cryptsetup
 * LUKS on-disk format specifications: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home
diff --git a/test/boot/luks.c b/test/boot/luks.c
index 70ee0fb0824..afa8c9f172e 100644
--- a/test/boot/luks.c
+++ b/test/boot/luks.c
@@ -213,3 +213,29 @@ static int bootstd_test_luks2_info(struct unit_test_state *uts)
 	return 0;
 }
 BOOTSTD_TEST(bootstd_test_luks2_info, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);
+
+/* Test LUKS unlock command with LUKS1 encrypted partition */
+static int bootstd_test_luks_unlock(struct unit_test_state *uts)
+{
+	struct udevice *mmc;
+
+	ut_assertok(setup_mmc11(uts, &mmc));
+
+	/* Test that unlock command exists and handles errors properly */
+	/* Should fail because partition 1 is not LUKS */
+	ut_asserteq(1, run_command("luks unlock mmc b:1 test", 0));
+	ut_assert_nextline("Not a LUKS partition");
+	ut_assert_console_end();
+
+	/* Test unlocking partition 2 with correct passphrase */
+	ut_assertok(run_command("luks unlock mmc b:2 test", 0));
+	ut_assert_nextline("Unlocked LUKS partition as blkmap device 'luks-mmc-b:2'");
+	ut_assert_console_end();
+
+	/* Test unlocking with wrong passphrase */
+	ut_asserteq(1, run_command("luks unlock mmc b:2 wrongpass", 0));
+	ut_assert_skip_to_line("Failed to unlock LUKS partition (err -13: Permission denied)");
+
+	return 0;
+}
+BOOTSTD_TEST(bootstd_test_luks_unlock, UTF_DM | UTF_SCAN_FDT | UTF_CONSOLE);