grub: import phc argon2 implementation (for luks2)

Patches pulled from:
https://git.nicholasjohnson.ch/grub
This is the author of the rebased patches:
https://nicholasjohnson.ch/
(Nicholas Johnson <nick@nicholasjohnson.ch>)

However, this is a *rebase* performed by Nicholas,
based on these patches:

https://aur.archlinux.org/cgit/aur.git/tree/?h=grub-improved-luks2-git
...at revision: 1c7932d90f1f62d0fd5485c5eb8ad79fa4c2f50d

The AUR patches were based on GRUB 2.06, whereas Nicholas's
rebase is upon grub 2.12, which Libreboot currently uses.

These patches import the PHC implementation of argon2i/id
key derivation functions, seen here:
https://github.com/P-H-C/phc-winner-argon2

GRUB (upstream) does not merge these patches and probably won't,
because even though they're libre, they're not copylefted or
otherwise under GPL terms that GRUB can accept.

Therefore, we in Libreboot must maintain these from now on,
for our version of GRUB. The upshot? LUKSv2 decryption should
now work, perfectly, in GRUB!

Signed-off-by: Leah Rowe <leah@libreboot.org>

resources/grub/patches/0003-Add-CC0-license.patch

@@ -0,0 +1,42 @@
+From de6e7cc62522ce1be21bd2f06e7c15cd234b5426 Mon Sep 17 00:00:00 2001
+From: Ax333l <main@axelen.xyz>
+Date: Thu, 17 Aug 2023 00:00:00 +0000
+Subject: [PATCH 1/6] Add CC0 license
+
+Signed-off-by: Nicholas Johnson <nick@nicholasjohnson.ch>
+---
+ grub-core/kern/dl.c           | 3 ++-
+ util/grub-module-verifierXX.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 0bf40caa6..4011e2d15 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -470,7 +470,8 @@ grub_dl_check_license (grub_dl_t mod, Elf_Ehdr *e)
+ 
+   if (grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3") == 0
+       || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3+") == 0
+-      || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0)
++      || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0
++      || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=CC0") == 0)
+     return GRUB_ERR_NONE;
+ 
+   return grub_error (GRUB_ERR_BAD_MODULE,
+diff --git a/util/grub-module-verifierXX.c b/util/grub-module-verifierXX.c
+index a42c20bd1..7157a30aa 100644
+--- a/util/grub-module-verifierXX.c
++++ b/util/grub-module-verifierXX.c
+@@ -236,7 +236,8 @@ check_license (const char * const filename,
+   Elf_Shdr *s = find_section (arch, e, ".module_license", module_size);
+   if (s && (strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3") == 0
+ 	    || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv3+") == 0
+-	    || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv2+") == 0))
++	    || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=GPLv2+") == 0
++	    || strcmp ((char *) e + grub_target_to_host(s->sh_offset), "LICENSE=CC0") == 0))
+     return;
+   grub_util_error ("%s: incompatible license", filename);
+ }
+-- 
+2.39.2
+

resources/grub/patches/0004-Define-GRUB_UINT32_MAX.patch

@@ -0,0 +1,39 @@
+From 9edaaffac91d593a439e44bac3b6f5558f5a8245 Mon Sep 17 00:00:00 2001
+From: Ax333l <main@axelen.xyz>
+Date: Thu, 17 Aug 2023 00:00:00 +0000
+Subject: [PATCH 2/6] Define GRUB_UINT32_MAX
+
+Signed-off-by: Nicholas Johnson <nick@nicholasjohnson.ch>
+---
+ include/grub/types.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/include/grub/types.h b/include/grub/types.h
+index 0d96006fe..a13f3a60b 100644
+--- a/include/grub/types.h
++++ b/include/grub/types.h
+@@ -156,6 +156,7 @@ typedef grub_int32_t	grub_ssize_t;
+ #define GRUB_SHRT_MAX 0x7fff
+ #define GRUB_SHRT_MIN (-GRUB_SHRT_MAX - 1)
+ #define GRUB_UINT_MAX 4294967295U
++#define GRUB_UINT32_MAX 4294967295U
+ #define GRUB_INT_MAX 0x7fffffff
+ #define GRUB_INT_MIN (-GRUB_INT_MAX - 1)
+ #define GRUB_INT32_MAX 2147483647
+@@ -177,6 +178,13 @@ typedef grub_int32_t	grub_ssize_t;
+ #define GRUB_TYPE_U_MAX(type) ((unsigned long long)((typeof (type))(~0)))
+ #define GRUB_TYPE_U_MIN(type) 0ULL
+ 
++# define GRUB_UINT32_C(x) x ## U
++# if GRUB_ULONG_MAX >> 31 >> 31 >> 1 == 1
++#  define GRUB_UINT64_C(x) x##UL
++# elif 1
++#  define GRUB_UINT64_C(x) x##ULL
++# endif
++
+ typedef grub_uint64_t grub_properly_aligned_t;
+ 
+ #define GRUB_PROPERLY_ALIGNED_ARRAY(name, size) grub_properly_aligned_t name[((size) + sizeof (grub_properly_aligned_t) - 1) / sizeof (grub_properly_aligned_t)]
+-- 
+2.39.2
+

resources/grub/patches/0006-Error-on-missing-Argon2id-parameters.patch

@@ -0,0 +1,58 @@
+From 0044d32121bf52c4547c6b3c78f12d7305f57e6b Mon Sep 17 00:00:00 2001
+From: Ax333l <main@axelen.xyz>
+Date: Thu, 17 Aug 2023 00:00:00 +0000
+Subject: [PATCH 4/6] Error on missing Argon2id parameters
+
+Signed-off-by: Nicholas Johnson <nick@nicholasjohnson.ch>
+---
+ grub-core/disk/luks2.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
+index d5106402f..bc818ea69 100644
+--- a/grub-core/disk/luks2.c
++++ b/grub-core/disk/luks2.c
+@@ -38,6 +38,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ enum grub_luks2_kdf_type
+ {
+   LUKS2_KDF_TYPE_ARGON2I,
++  LUKS2_KDF_TYPE_ARGON2ID,
+   LUKS2_KDF_TYPE_PBKDF2
+ };
+ typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
+@@ -90,7 +91,7 @@ struct grub_luks2_keyslot
+ 	grub_int64_t time;
+ 	grub_int64_t memory;
+ 	grub_int64_t cpus;
+-      } argon2i;
++      } argon2;
+       struct
+       {
+ 	const char   *hash;
+@@ -160,10 +161,11 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
+   else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type, "argon2id"))
+     {
+-      out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
+-      if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
+-	  grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
+-	  grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
++      out->kdf.type = !grub_strcmp (type, "argon2i")
++		      ? LUKS2_KDF_TYPE_ARGON2I : LUKS2_KDF_TYPE_ARGON2ID;
++      if (grub_json_getint64 (&out->kdf.u.argon2.time, &kdf, "time") ||
++	  grub_json_getint64 (&out->kdf.u.argon2.memory, &kdf, "memory") ||
++	  grub_json_getint64 (&out->kdf.u.argon2.cpus, &kdf, "cpus"))
+ 	return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
+     }
+   else if (!grub_strcmp (type, "pbkdf2"))
+@@ -459,6 +461,7 @@ luks2_decrypt_key (grub_uint8_t *out_key,
+   switch (k->kdf.type)
+     {
+       case LUKS2_KDF_TYPE_ARGON2I:
++      case LUKS2_KDF_TYPE_ARGON2ID:
+ 	ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
+ 	goto err;
+       case LUKS2_KDF_TYPE_PBKDF2:
+-- 
+2.39.2
+

resources/grub/patches/0007-Compile-with-Argon2id-support.patch

@@ -0,0 +1,83 @@
+From 0a21695c55f76f1c958bb633481d55b3168562f7 Mon Sep 17 00:00:00 2001
+From: Ax333l <main@axelen.xyz>
+Date: Thu, 17 Aug 2023 00:00:00 +0000
+Subject: [PATCH 5/6] Compile with Argon2id support
+
+Signed-off-by: Nicholas Johnson <nick@nicholasjohnson.ch>
+---
+ Makefile.util.def           |  6 +++++-
+ grub-core/Makefile.core.def |  2 +-
+ grub-core/disk/luks2.c      | 13 +++++++++++--
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.util.def b/Makefile.util.def
+index 1e9a13d3e..a167825c3 100644
+--- a/Makefile.util.def
++++ b/Makefile.util.def
+@@ -3,7 +3,7 @@ AutoGen definitions Makefile.tpl;
+ library = {
+   name = libgrubkern.a;
+   cflags = '$(CFLAGS_GNULIB)';
+-  cppflags = '$(CPPFLAGS_GNULIB) -I$(srcdir)/grub-core/lib/json';
++  cppflags = '$(CPPFLAGS_GNULIB) -I$(srcdir)/grub-core/lib/json -I$(srcdir)/grub-core/lib/argon2';
+ 
+   common = util/misc.c;
+   common = grub-core/kern/command.c;
+@@ -36,6 +36,10 @@ library = {
+   common = grub-core/kern/misc.c;
+   common = grub-core/kern/partition.c;
+   common = grub-core/lib/crypto.c;
++  common = grub-core/lib/argon2/argon2.c;
++  common = grub-core/lib/argon2/core.c;
++  common = grub-core/lib/argon2/ref.c;
++  common = grub-core/lib/argon2/blake2/blake2b.c;
+   common = grub-core/lib/json/json.c;
+   common = grub-core/disk/luks.c;
+   common = grub-core/disk/luks2.c;
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 4a06789e5..e939dcc99 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -1238,7 +1238,7 @@ module = {
+   common = disk/luks2.c;
+   common = lib/gnulib/base64.c;
+   cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
+-  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/json';
++  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/json -I$(srcdir)/lib/argon2';
+ };
+ 
+ module = {
+diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
+index bc818ea69..5b9eaa599 100644
+--- a/grub-core/disk/luks2.c
++++ b/grub-core/disk/luks2.c
+@@ -27,6 +27,7 @@
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+ 
++#include <argon2.h>
+ #include <base64.h>
+ #include <json.h>
+ 
+@@ -462,8 +463,16 @@ luks2_decrypt_key (grub_uint8_t *out_key,
+     {
+       case LUKS2_KDF_TYPE_ARGON2I:
+       case LUKS2_KDF_TYPE_ARGON2ID:
+-	ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
+-	goto err;
++	ret = argon2_hash (k->kdf.u.argon2.time, k->kdf.u.argon2.memory, k->kdf.u.argon2.cpus,
++			   passphrase, passphraselen, salt, saltlen, area_key, k->area.key_size,
++			   k->kdf.type == LUKS2_KDF_TYPE_ARGON2I ? Argon2_i : Argon2_id,
++			   ARGON2_VERSION_NUMBER);
++        if (ret)
++	  {
++	    grub_dprintf ("luks2", "Argon2 failed: %s\n", argon2_error_message (ret));
++	    goto err;
++	  }
++        break;
+       case LUKS2_KDF_TYPE_PBKDF2:
+ 	hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
+ 	if (!hash)
+-- 
+2.39.2
+

resources/grub/patches/0008-Make-grub-install-work-with-Argon2.patch

@@ -0,0 +1,26 @@
+From 6c9a6625c0dc038d1bdbdc13665f40e269e86496 Mon Sep 17 00:00:00 2001
+From: Ax333l <main@axelen.xyz>
+Date: Thu, 17 Aug 2023 00:00:00 +0000
+Subject: [PATCH 6/6] Make grub-install work with Argon2
+
+Signed-off-by: Nicholas Johnson <nick@nicholasjohnson.ch>
+---
+ util/grub-install.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 1ad04db36..a8a3330b8 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -448,6 +448,8 @@ probe_mods (grub_disk_t disk)
+     {
+       grub_util_cryptodisk_get_abstraction (disk,
+ 					    push_cryptodisk_module, NULL);
++      /* HACK: always push argon2 */
++      grub_install_push_module ("argon2");
+       have_abstractions = 1;
+       have_cryptodisk = 1;
+     }
+-- 
+2.39.2
+