[PATCH v22 28/33] cryptodisk: Fallback to passphrase

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v22 28/33] cryptodisk: Fallback to passphrase

From:	Gary Lin
Subject:	[PATCH v22 28/33] cryptodisk: Fallback to passphrase
Date:	Mon, 11 Nov 2024 15:45:02 +0800

From: Patrick Colp <patrick.colp@oracle.com>

If a protector is specified, but it fails to unlock the disk, fall back
to asking for the passphrase.

Before requesting the passphrase, the error from the key protector(s)
has to be cleared, or the later code (e.g., LUKS code) may stop as
'grub_errno' is set. This commit prints error from the key protector(s)
and sets 'grub_errno' to 'GRUB_ERR_NONE' to have a fresh start.

Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/disk/cryptodisk.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6f7394942..4219f1fb6 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1167,6 +1167,10 @@ grub_cryptodisk_scan_device_real (const char *name,
          ret = cr->recover_key (source, dev, cargs);
          if (ret != GRUB_ERR_NONE)
            {
+             /* Reset key data to trigger the passphrase prompt later */
+             cargs->key_data = NULL;
+             cargs->key_len = 0;
+
              part = grub_partition_get_name (source->partition);
              grub_dprintf ("cryptodisk",
                            "recovered a key from key protector %s but it "
@@ -1192,7 +1196,6 @@ grub_cryptodisk_scan_device_real (const char *name,
                  source->name, source->partition != NULL ? "," : "",
                  part != NULL ? part : N_("UNKNOWN"), dev->uuid);
       grub_free (part);
-      goto error;
     }
 
   if (cargs->key_len)
@@ -1207,6 +1210,24 @@ grub_cryptodisk_scan_device_real (const char *name,
       unsigned long tries = 3;
       const char *tries_env;
 
+      /*
+       * Print the error from key protectors and clear grub_errno.
+       *
+       * Since '--protector' cannot coexist with '--password' and
+       * '--key-file', in case key protectors fail, only
+       * "cargs->key_len == 0" is expected, so cryptomount falls back
+       * here to request the passphrase.
+       *
+       * To avoid the error from key protectors stops the further code,
+       * print the error to notify the user why key protectors fail and
+       * clear grub_errno to have a fresh start.
+       */
+      if (grub_errno != GRUB_ERR_NONE)
+       {
+         grub_print_error ();
+         grub_errno = GRUB_ERR_NONE;
+       }
+
       askpass = 1;
       cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
       if (cargs->key_data == NULL)
-- 
2.43.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v22 16/33] libtasn1: compile into asn1 module, (continued)
- [PATCH v22 16/33] libtasn1: compile into asn1 module, Gary Lin, 2024/11/11
- [PATCH v22 19/33] key_protector: Add key protectors framework, Gary Lin, 2024/11/11
- [PATCH v22 20/33] tss2: Add TPM2 buffer handling functions, Gary Lin, 2024/11/11
- [PATCH v22 12/33] asn1_test: remove 'verbose' and the unnecessary printf(), Gary Lin, 2024/11/11
- [PATCH v22 21/33] tss2: Add TPM2 types and Marshal/Unmarshal functions, Gary Lin, 2024/11/11
- [PATCH v22 23/33] key_protector: Add TPM2 Key Protector, Gary Lin, 2024/11/11
- [PATCH v22 26/33] tpm2_key_protector: Support authorized policy, Gary Lin, 2024/11/11
- [PATCH v22 25/33] util/grub-protect: Add new tool, Gary Lin, 2024/11/11
- [PATCH v22 15/33] asn1_test: enable the testcase only when GRUB_LONG_MAX is larger than GRUB_INT_MAX, Gary Lin, 2024/11/11
- [PATCH v22 17/33] asn1_test: test module for libtasn1, Gary Lin, 2024/11/11
- [PATCH v22 28/33] cryptodisk: Fallback to passphrase, Gary Lin <=
- [PATCH v22 22/33] tss2: Add TPM2 Software Stack (TSS2) support, Gary Lin, 2024/11/11
- [PATCH v22 30/33] diskfilter: look up cryptodisk devices first, Gary Lin, 2024/11/11
- [PATCH v22 24/33] cryptodisk: Support key protectors, Gary Lin, 2024/11/11
- [PATCH v22 31/33] tpm2_key_protector: Add grub-emu support, Gary Lin, 2024/11/11
- [PATCH v22 33/33] docs: Document TPM2 key protector, Gary Lin, 2024/11/11
  - Re: [PATCH v22 33/33] docs: Document TPM2 key protector, Stefan Berger, 2024/11/11
    - Re: [PATCH v22 33/33] docs: Document TPM2 key protector, Gary Lin, 2024/11/12
- [PATCH v22 32/33] tests: Add tpm2_key_protector_test, Gary Lin, 2024/11/11
  - Re: [PATCH v22 32/33] tests: Add tpm2_key_protector_test, Stefan Berger, 2024/11/11
- [PATCH v22 27/33] tpm2_key_protector: Implement NV index, Gary Lin, 2024/11/11

Prev by Date: [PATCH v22 17/33] asn1_test: test module for libtasn1
Next by Date: [PATCH v22 22/33] tss2: Add TPM2 Software Stack (TSS2) support
Previous by thread: [PATCH v22 17/33] asn1_test: test module for libtasn1
Next by thread: [PATCH v22 22/33] tss2: Add TPM2 Software Stack (TSS2) support
Index(es):
- Date
- Thread