disk/luks2: Continue trying all keyslots even if there are some failures

luks2_get_keyslot() can fail for a variety of reasons that do not necessarily
mean the next keyslot should not be tried (e.g. a new kdf type). So always
try the next slot. This will make GRUB more resilient to non-spec json data
that 3rd party systems may add. We do not care if some of the keyslots are
unusable, only if there is at least one that is.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index bf741d70f3705e358ba1d9f3ebb17762a0753392..5b3b36c8a3c1390970eecf267bdce9a76472e13f 100644 (file)
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -610,7 +610,15 @@ luks2_recover_key (grub_disk_t source,
       grub_errno = GRUB_ERR_NONE;
       ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, json_idx);
       if (ret)
-       goto err;
+       {
+         /*
+          * luks2_get_keyslot() can fail for a variety of reasons that do not
+          * necessarily mean the next keyslot should not be tried (e.g. a new
+          * kdf type). So always try the next slot.
+          */
+         grub_dprintf ("luks2", "Failed to get keyslot %" PRIuGRUB_UINT64_T "\n", keyslot.idx);
+         continue;
+       }
       if (grub_errno != GRUB_ERR_NONE)
          grub_dprintf ("luks2", "Ignoring unhandled error %d from luks2_get_keyslot\n", grub_errno);