From 080525e01fca3abab097b440cf5c8cb3591379f5 Mon Sep 17 00:00:00 2001 From: matt Date: Mon, 10 Apr 2017 05:24:12 -0400 Subject: [PATCH] Error checking in grub-install/luks.c --- grub-core/disk/luks.c | 24 +++++++--- util/grub-install.c | 118 +++++++++++++++++++++++++++++--------------------- 2 files changed, 88 insertions(+), 54 deletions(-) diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c index c776261..00e6ef9 100644 --- a/grub-core/disk/luks.c +++ b/grub-core/disk/luks.c @@ -174,7 +174,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, the disk. It is only used to make grub-install think this is a cryptodisk. Since it really is but without a header grub-install does not know this.*/ - grub_uint8_t num[6] = {'L','U','K','S',0xba,0xbe}; + /*grub_uint8_t num[6] = {'L','U','K','S',0xba,0xbe}; grub_memcpy (header.magic, num, sizeof(num)); header.version = 0x0100; grub_strcpy (header.cipherName, "aes"); @@ -187,7 +187,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, grub_uint64_t alter_mkDigestSalt[4] = {0x00,0x00,0x00,0x00}; grub_memcpy (header.mkDigestSalt,alter_mkDigestSalt, sizeof(alter_mkDigestSalt)); header.mkDigestIterations = 0x0020; - grub_strcpy (header.uuid, "01234567-1234-1234-1234-0123456789ab"); + grub_strcpy (header.uuid, "01234567-1234-1234-1234-0123456789ab");*/ /*This is for reading a header file in from grub-install for a detached header cryptodisk*/ static FILE *fpcrypto_header_f; /*file pointer to be used as the local program name for crypto device ptuuid */ @@ -214,15 +214,29 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, if (header_file_name[0] != '\0') /*In case the file is opened but empty. If empty then use above dummy header. */ { fpcrypto_detached_header_f = fopen (header_file_name, "r"); - if (fread (&header, 1, sizeof (header), fpcrypto_detached_header_f) != sizeof (header)) - err = GRUB_ERR_READ_ERROR; + if (fpcrypto_detached_header_f) + { + if (fread (&header, 1, sizeof (header), fpcrypto_detached_header_f) != sizeof (header)) + err = GRUB_ERR_READ_ERROR; + /*Test for LUKS magic in detached header*/ + if (grub_memcmp (header.magic, LUKS_MAGIC, sizeof (header.magic))) + { + grub_error (GRUB_ERR_BAD_ARGUMENT, "File '%s' is not a valid LUKS device detached header", header_file_name); + return NULL; + } + } + else + { + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Can't find detached header file '%s'", header_file_name); + return NULL; + } fclose (fpcrypto_detached_header_f); } } fclose (fpcrypto_header_f); if (crypto_header_name) grub_free (crypto_header_name); - } + } #endif diff --git a/util/grub-install.c b/util/grub-install.c index 4e8803e..e841e32 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -326,8 +326,8 @@ static struct argp_option options[] = { {"mattle-opts-file", OPTION_MATTLE_OPTS_FILE, N_("FILE"), 0, N_("use FILE instead of using %smattle_opts.cfg "), 2}, {"crypto-device", OPTION_CRYPTO_DEVICE, N_("DEVICE"), 0, N_("DEVICE is the LUKS crypto " - "volume with a detached header that the root filesystem is on. i.e." - " LUKS volume is on /dev/sda1 -> /dev/mapper/luks-volume and /boot may be on that device. " + "device with a detached header that the root filesystem is on. i.e." + " LUKS device is on /dev/sda1 -> /dev/mapper/luks-device and /boot may be on that device. " "Usage --crypto-device=/dev/sdXY"), 2}, {"crypto-header", OPTION_CRYPTO_HEADER, N_("FILE"), 0, N_("FILE is the detached LUKS header file for --crypto-device=DEVICE." " A copy of FILE needs to be stored on a different device and must be accessible in order to boot the DEVICE."), 2}, @@ -1209,8 +1209,8 @@ main (int argc, char *argv[]) } /*Here is the start to adding code for ability to do grub-install on a detached header - LUKS volume i.e --boot-directory=/boot and /boot resides on detached header - LUKS volume. This is placed outside the if (crypto_device) to clear file from + LUKS device i.e --boot-directory=/boot and /boot resides on detached header + LUKS device. This is placed outside the if (crypto_device) to clear file from seperate grub-install calls. If placed inside then from each call crypto_ptuuid file will retain the info and luks.c will access it even if --crypto-device is not called.*/ static FILE *fpcrypto_ptuuid_f; /*file pointer to be used as the local program name for crypto device uuid*/ @@ -1218,53 +1218,73 @@ main (int argc, char *argv[]) crypto_ptuuid_name = grub_util_path_concat (2, GRUB_SYSCONFDIR, "crypto_ptuuid.cfg"); fpcrypto_ptuuid_f = grub_util_fopen (crypto_ptuuid_name, "wb"); - if (crypto_device) + if (crypto_device && crypto_header) { - grub_device_t crypto_dev = NULL; - char *crypto_grub_devname; - crypto_grub_devname = grub_util_get_grub_dev (crypto_device); - if (crypto_grub_devname) - { - char *partuuid = 0; - crypto_dev = grub_device_open (crypto_grub_devname); - if (crypto_dev && crypto_dev->disk) - { - grub_disk_t crypto_disk = crypto_dev->disk; - grub_partition_t crypto_p = crypto_disk->partition; - if (crypto_disk->partition) - { - /*This means that it wont find devices like /dev/sdX only /dev/sdXY - And only if /dev/sdXY is an msdos or gpt type partition*/ - if (crypto_p && (grub_strcmp (crypto_p->partmap->name, "msdos") == 0 || grub_strcmp (crypto_p->partmap->name, "gpt") == 0 )) - { - if (crypto_disk->partition->number + 1) - { - partuuid = grub_strdup (crypto_p->partuuid); - if (partuuid) - { - fprintf (fpcrypto_ptuuid_f, "%s\n%s", partuuid, crypto_grub_devname); - static FILE *fpcrypto_header_f; /*file pointer to be used as the local program name for crypto device uuid*/ - static char *crypto_header_name; /*absolute path for crypto_ptuuid file*/ - crypto_header_name = grub_util_path_concat (2, GRUB_SYSCONFDIR, "crypto_header.cfg"); - fpcrypto_header_f = grub_util_fopen (crypto_header_name, "wb"); - if (crypto_header) - { - fprintf (fpcrypto_header_f, "%s\n", crypto_header); - } - - fclose (fpcrypto_header_f); /*closing file*/ - free (crypto_header_name); /*freeing crypto_ptuuid_name*/ - } - grub_free (partuuid); - } - } - } - } - } - grub_free (crypto_grub_devname); - if (crypto_dev) - grub_device_close (crypto_dev); + if (config.is_cryptodisk_enabled_mattle_opts) + { + grub_device_t crypto_dev = NULL; + char *crypto_grub_devname; + crypto_grub_devname = grub_util_get_grub_dev (crypto_device); + grub_printf ("grub_devname is %s\n", crypto_grub_devname); + if (crypto_grub_devname) + { + char *partuuid = 0; + crypto_dev = grub_device_open (crypto_grub_devname); + if (crypto_dev && crypto_dev->disk) + { + grub_disk_t crypto_disk = crypto_dev->disk; + if (crypto_disk->partition) + { + grub_partition_t crypto_p = crypto_disk->partition; + /*This means that it wont find devices like /dev/sdX only /dev/sdXY + And only if /dev/sdXY is an msdos or gpt type partition*/ + if (crypto_p && (grub_strcmp (crypto_p->partmap->name, "msdos") == 0 || grub_strcmp (crypto_p->partmap->name, "gpt") == 0 )) + { + if (crypto_disk->partition->number + 1) + { + partuuid = grub_strdup (crypto_p->partuuid); + if (partuuid) + { + fprintf (fpcrypto_ptuuid_f, "%s\n%s", partuuid, crypto_grub_devname); + static FILE *fpcrypto_header_f; /*file pointer to be used as the local program name for crypto device uuid*/ + static char *crypto_header_name; /*absolute path for crypto_ptuuid file*/ + crypto_header_name = grub_util_path_concat (2, GRUB_SYSCONFDIR, "crypto_header.cfg"); + fpcrypto_header_f = grub_util_fopen (crypto_header_name, "wb"); + fprintf (fpcrypto_header_f, "%s\n", crypto_header); + fclose (fpcrypto_header_f); /*closing file*/ + free (crypto_header_name); /*freeing crypto_ptuuid_name*/ + } + free (partuuid); + } + } + else + { + grub_util_error (_("Partition map type is '%s'. Partition map type for disk %s must be either 'MSDOS' or 'GPT'"), crypto_p->partmap->name, crypto_disk->name); + } + } + else + { + grub_util_error (_("%s is not a partition. --crypto-device must be used with either an 'MSDOS' or 'GPT' type partition"), crypto_device); + } + } + } + else + { + grub_util_error (_("Can't open %s. Check to make sure %s is a valid device"), crypto_device, crypto_device); + } + free (crypto_grub_devname); + if (crypto_dev) + grub_device_close (crypto_dev); + } + else + { + grub_util_error (_("Attempt to use detached header for LUKS device without mattle_opts enabled. " + "Set `%s' in file `%s'"), "GRUB_ENABLE_CRYPTODISK_MATTLE_OPTS=y", + grub_util_get_config_filename ()); + } } + else if ((crypto_device && !crypto_header) || (!crypto_device && crypto_header)) + grub_util_error (_("Must use --crypto-header with --crypto-device to install grub to a LUKS device with detached header")); fclose (fpcrypto_ptuuid_f); /*closing file*/ free (crypto_ptuuid_name); /*freeing crypto_ptuuid_name*/ -- 2.7.4