From a768876c0df0c9258e9c7502cdb54675eeb5f7ec Mon Sep 17 00:00:00 2001 From: Glenn Washburn Date: Fri, 22 Jul 2022 03:04:50 -0500 Subject: [PATCH] disk/luks2: Continue trying all keyslots even if there are some failures luks2_get_keyslot() can fail for a variety of reasons that do not necessarily mean the next keyslot should not be tried (e.g. a new kdf type). So always try the next slot. This will make GRUB more resilient to non-spec json data that 3rd party systems may add. We do not care if some of the keyslots are unusable, only if there is at least one that is. Signed-off-by: Glenn Washburn Reviewed-by: Daniel Kiper --- grub-core/disk/luks2.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c index bf741d70f..5b3b36c8a 100644 --- a/grub-core/disk/luks2.c +++ b/grub-core/disk/luks2.c @@ -610,7 +610,15 @@ luks2_recover_key (grub_disk_t source, grub_errno = GRUB_ERR_NONE; ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx); if (ret) - goto err; + { + /* + * luks2_get_keyslot() can fail for a variety of reasons that do not + * necessarily mean the next keyslot should not be tried (e.g. a new + * kdf type). So always try the next slot. + */ + grub_dprintf ("luks2", "Failed to get keyslot %" PRIuGRUB_UINT64_T "\n", keyslot.idx); + continue; + } if (grub_errno != GRUB_ERR_NONE) grub_dprintf ("luks2", "Ignoring unhandled error %d from luks2_get_keyslot\n", grub_errno); -- 2.47.3