From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id gJuTGfhRtV/+DgAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 18 Nov 2020 16:55:20 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id 0DaJFfhRtV+MFgAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 18 Nov 2020 16:55:20 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id D27FB940483
	for <larch@yhetil.org>; Wed, 18 Nov 2020 16:55:19 +0000 (UTC)
Received: from localhost ([::1]:33350 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1kfQjm-0003oV-Iv
	for larch@yhetil.org; Wed, 18 Nov 2020 11:55:18 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:59846)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kfQjW-0003mu-LB
 for bug-guix@gnu.org; Wed, 18 Nov 2020 11:55:02 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:52959)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kfQjW-00072R-Bw
 for bug-guix@gnu.org; Wed, 18 Nov 2020 11:55:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kfQjW-00011j-Bi
 for bug-guix@gnu.org; Wed, 18 Nov 2020 11:55:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD
 0.12.0
Resent-From: Danny Milosavljevic <dannym@scratchpost.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Wed, 18 Nov 2020 16:55:02 +0000
Resent-Message-ID: <handler.25305.B25305.16057184673894@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 25305
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: patch
To: Jonathan Brielmaier <jonathan.brielmaier@web.de>
Received: via spool by 25305-submit@debbugs.gnu.org id=B25305.16057184673894
 (code B ref 25305); Wed, 18 Nov 2020 16:55:02 +0000
Received: (at 25305) by debbugs.gnu.org; 18 Nov 2020 16:54:27 +0000
Received: from localhost ([127.0.0.1]:36270 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kfQix-00010k-L7
 for submit@debbugs.gnu.org; Wed, 18 Nov 2020 11:54:27 -0500
Received: from dd26836.kasserver.com ([85.13.145.193]:41036)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dannym@scratchpost.org>) id 1kfQiv-00010Y-Co
 for 25305@debbugs.gnu.org; Wed, 18 Nov 2020 11:54:26 -0500
Received: from localhost (80-110-126-103.cgn.dynamic.surfer.at
 [80.110.126.103])
 by dd26836.kasserver.com (Postfix) with ESMTPSA id 75B543360150;
 Wed, 18 Nov 2020 17:54:23 +0100 (CET)
Date: Wed, 18 Nov 2020 17:54:21 +0100
From: Danny Milosavljevic <dannym@scratchpost.org>
Message-ID: <20201118175421.185045c7@scratchpost.org>
In-Reply-To: <5fb878e0-31f3-b47f-8889-f68888d26564@web.de>
References: <87inq16km3.fsf@gnu.org>
 <5fb878e0-31f3-b47f-8889-f68888d26564@web.de>
X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-unknown-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="Sig_/D6Ej8epUkzte0uPyrf9b6Ri";
 protocol="application/pgp-signature"; micalg=pgp-sha512
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -1.7 (-)
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Cc: 25305@debbugs.gnu.org
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Spam-Score: -1.11
X-TUID: KMYoTdK++lke

--Sig_/D6Ej8epUkzte0uPyrf9b6Ri
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Mon, 16 Nov 2020 18:56:56 +0100
Jonathan Brielmaier <jonathan.brielmaier@web.de> wrote:

> We have now pretty good LUKS support, but I don't know if we support
> this use case. I always have `/boot` encrypted as well...

Unencrypted /boot and encrypted / is necessary to be able to use Heads
(right now).

(It measures /boot in order to find out whether it has been tampered with or
not)

If you want to be able to boot on a Heads system, either Heads needs to be
modified to mount encrypted / , or there needs to be an unencrypted /boot.

--Sig_/D6Ej8epUkzte0uPyrf9b6Ri
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl+1Ub0ACgkQ5xo1VCww
uqWoOggAoA1dNkv2HPBNB81YomfflymLhCdr2L0aDs9+HQl5hu5o6jXKCrlpcjB3
tt1CJH9usAm2rjBjdDOKK53f1l4MQqjewceMNGurog5+eflb+Os9ZXUBGZxLkTHY
Uj4VBhAaN+i3dYBW/ARDDyHSRkV4vD6LB9Bkl9t6U/Az4Nn/viyvLCxLNZbWHXRn
8FPCFEGJLXoz0cvWqaOoce9hS/Ls/4HB/7G3CbdJ0REFc2zjJ+sF1bffGERLKfEN
27OTWHk+AqiUOmMkzuZZCh2E4fSM4uaLWOOIjoydzmmJbCedzx0ZMjWLuQLYLqEm
INZl40Z8bDezEkE8jiy0O14fBOtevQ==
=fdf5
-----END PGP SIGNATURE-----

--Sig_/D6Ej8epUkzte0uPyrf9b6Ri--