From: Simon Glass <sjg@chromium.org> With full-disk encryption (FDE) it is traditional to unlock a LUKS partition within userspace as part of the initial ramdisk passed to Linux. The user is prompted for a passphrase and then the disk is unlocked. This works well but does have some drawbacks: - firmware has no way of knowing whether the boot will success - the 'passphrase' prompt comes quite late in the boot, which can be confusing for the user - specifically it is not possible to provide an integrated 'boot' UI in firmware where the user can enter the passphrase - in a VM environment, the key may be known in advance, but there is no way to take advantage of this - it is not possible to use an encryted disk unless also using a ramdisk This series makes a small step towards improving U-Boot in this area. It allows a passphrase to be checked against a LUKS1-encrypted partition. It also provides read-only access to the unencrypted data, so that files can be read. Simon Glass (24): aes: Fix key size handling for AES-192 and AES-256 doc: Provide documentation for the blkmap command log: Provide a macro to log a hex string panic: Provide a way to poweroff on panic sandbox: Enable CONFIG_PANIC_POWEROFF sandbox: Add devon and devoff subcommands to sb command mbedtls: hash: Provide the mbedtls hash type in the hash interface mbedtls: Allow use of PKCS#5 functions test/py: Support creating space after a filesystem test/py: Support FDE with the extlinux image test/py: Set up an Ubuntu image with space for FDE docker: Add cryptsetup package for LUKS testing CI: Update Docker image to including luks tools luks: Add a way to create an encrypted partition luks: Encrypt the mmc11 test image luks: Add the beginning of LUKS support luks: Add a simple command luks: Create a very simple JSON library luks: Create a disk image with LUKS2 encryption luks: Show the JSON information for LUKSv2 luks: Enhance blkmap to support LUKSv1 luks: Provide a way to unlock and map encrypted partitions luks: Add a subcommand to unlock an encrypted partition luks: Add detection of LUKS partition .gitlab-ci.yml | 6 +- MAINTAINERS | 14 + arch/sandbox/dts/test.dts | 8 + cmd/Kconfig | 9 + cmd/Makefile | 1 + cmd/luks.c | 133 +++++++ cmd/sb.c | 107 ++++- common/hash.c | 5 + configs/sandbox_defconfig | 2 + doc/usage/blkmap.rst | 5 + doc/usage/cmd/blkmap.rst | 323 +++++++++++++++ doc/usage/cmd/luks.rst | 254 ++++++++++++ doc/usage/cmd/sb.rst | 40 +- doc/usage/index.rst | 3 + doc/usage/luks.rst | 340 ++++++++++++++++ drivers/block/Kconfig | 22 ++ drivers/block/Makefile | 1 + drivers/block/blkmap.c | 152 +++++++ drivers/block/luks.c | 656 +++++++++++++++++++++++++++++++ include/blkmap.h | 24 ++ include/hash.h | 33 +- include/json.h | 23 ++ include/log.h | 16 + include/luks.h | 175 +++++++++ lib/Kconfig | 15 + lib/Makefile | 1 + lib/aes.c | 15 +- lib/json.c | 122 ++++++ lib/mbedtls/Kconfig | 14 + lib/mbedtls/Makefile | 2 + lib/mbedtls/mbedtls_def_config.h | 4 + lib/panic.c | 8 + test/boot/Makefile | 1 + test/boot/luks.c | 241 ++++++++++++ test/cmd/Makefile | 1 + test/cmd/sb.c | 123 ++++++ test/lib/Makefile | 1 + test/lib/json.c | 211 ++++++++++ test/py/img/common.py | 18 +- test/py/img/ubuntu.py | 12 +- test/py/tests/fs_helper.py | 142 ++++++- test/py/tests/test_ut.py | 3 +- tools/docker/Dockerfile | 1 + 43 files changed, 3262 insertions(+), 25 deletions(-) create mode 100644 cmd/luks.c create mode 100644 doc/usage/cmd/blkmap.rst create mode 100644 doc/usage/cmd/luks.rst create mode 100644 doc/usage/luks.rst create mode 100644 drivers/block/luks.c create mode 100644 include/json.h create mode 100644 include/luks.h create mode 100644 lib/json.c create mode 100644 test/boot/luks.c create mode 100644 test/cmd/sb.c create mode 100644 test/lib/json.c -- 2.43.0 base-commit: 2ee77c0b8cb36f203fa3b1436ae3e8f07a054347 branch: secc