commands/search: Add the diskfilter support

When the --cryptodisk-only argument is given, also check the target device using the "cryptocheck" command, if available. This extends the checks to common layouts like LVM-on-LUKS, so the --cryptodisk-only argument transparently handles such setups. Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-03-02 23:32:43 +03:00 · 2025-03-02 23:32:43 +03:00 · 10d778c4b4
commit 10d778c4b4
parent 7a584fbde0
1 changed files with 31 additions and 1 deletions
--- a/grub-core/commands/search.c
+++ b/grub-core/commands/search.c
@ -54,6 +54,36 @@ struct search_ctx
  int is_cache;
 };

+static bool
+is_unencrypted_disk (grub_disk_t disk)
+{
+  grub_command_t cmd;
+  char *disk_str;
+  int disk_str_len;
+  int res;
+
+  if (disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
+    return false; /* This is (crypto) disk. */
+
+  if (disk->dev->id == GRUB_DISK_DEVICE_DISKFILTER_ID)
+    {
+      cmd = grub_command_find ("cryptocheck");
+      if (cmd == NULL) /* No diskfilter module loaded for some reason. */
+        return true;
+
+      disk_str_len = grub_strlen (disk->name) + 2 + 1;
+      disk_str = grub_malloc (disk_str_len);
+      if (disk_str == NULL) /* Something is wrong, better report as unencrypted. */
+        return true;
+
+      grub_snprintf (disk_str, disk_str_len, "(%s)", disk->name);
+      res = cmd->func (cmd, 1, &disk_str);
+      grub_free (disk_str);
+      return (res != GRUB_ERR_NONE) ? true : false; /* GRUB_ERR_NONE for encrypted. */
+    }
+  return true;
+}
+
 /* Helper for FUNC_NAME.  */
 static int
 iterate_device (const char *name, void *data)
@ -97,7 +127,7 @@ iterate_device (const char *name, void *data)
 	  grub_errno = GRUB_ERR_NONE;
 	  return 0;
 	}
-      if (dev->disk == NULL || dev->disk->dev->id != GRUB_DISK_DEVICE_CRYPTODISK_ID)
+      if (dev->disk == NULL || is_unencrypted_disk (dev->disk) == true)
 	{
 	  grub_device_close (dev);
 	  grub_errno = GRUB_ERR_NONE;