This series illustrates how to use a Tillitis TKey to unlock an encrypted disk. This has the advantage that the key depends on a physical key in the user's posession as well as the usual passphrase. The TKey handles the key derivation, so this series includes logic to skip that step when a TKey is used. The 'luks unlock' command provides a -t flag to use a TKey. It also provides a small pytest fix to ease conflicts with Labgrid integration. Simon Glass (14): test/py: Avoid pulling in Labgrid with tests luks: Make essiv_decrypt() a shared function luks: Tidy up debugging of unlock luks: Update try_keyslot() to allow a bytestring luks: Update unlock_luks2() to take binary passphrase luks: Update luks_unlock() to take binary passphrase luks: Extract PBKDF2 key derivation into separate function luks: Move key derivation to the caller of try_keyslot() luks: Split LUKSv1 unlock code into a separate function luks: Support a pre-derived key with LUKSv1 luks: Support a pre-derived key with LUKSv2 luks: Support a pre-derived key luks: Check for out-of-memory with Argon2 luks: Support disk unlock using a TKey cmd/luks.c | 94 +++++++++- doc/usage/cmd/luks.rst | 36 +++- drivers/block/luks.c | 316 ++++++++++++++++++++-------------- drivers/block/luks2.c | 141 ++++++--------- drivers/block/luks_internal.h | 28 ++- include/luks.h | 4 +- test/boot/luks.c | 4 +- test/py/pytest.ini | 1 + 8 files changed, 384 insertions(+), 240 deletions(-) -- 2.43.0 base-commit: 826b435241a60310f663a88b148912a9ab727b76 branch: secg