unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0
       [not found] <CAOXwz5_i2-dUVeFgNfXt07zazCq1SLz6V+WGC09JLRYzUgUDRA@mail.gmail.com>
@ 2016-12-30 23:52 ` Ludovic Courtès
  2020-11-16 17:56   ` bug#25305: " Jonathan Brielmaier
  0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2016-12-30 23:52 UTC (permalink / raw)
  To: Eddie Baxter; +Cc: bug-guix, help-guix

Hello!

Eddie Baxter <pieceredd@gmail.com> skribis:

> I have attempted to install GuixSD on an encrypted root using LUKS, after
> reading the release notes for 0.12.0 that implies this should now work - My
> config.scm is linked:
>
> https://gist.github.com/AcouBass/3a1a6ab28c17830a175dc7da95eb18cd
>
> I don't get any errors on installation, nor upon doing a system
> reconfigure.
>
> At the moment I am still having to drop to a command prompt in Grub and use
> the commands:
>
>   insmod luks
>   cryptomount hd0,msdos2

The config has an unencrypted /boot and an encrypted root.  What’s
tested and known-good is a configuration with an encrypted root that
contains /boot, like the one here:

  https://www.gnu.org/software/guix/manual/html_node/Using-the-Configuration-System.html#index-encrypted-disk-1

It may be that this configuration is not correctly supported yet.

I’m Cc’ing bug-guix@gnu.org so we keep track of this issue.

> Which while it does work does mean I'm entering my passphrase twice
> (As well as having to drop to the Grub command line!)

The passphrase-twice issue seems hard to avoid: first GRUB needs to
access the partition, and then the kernel needs to access it.

If anyone is aware of ways to solve this, I’m all ears!

Thanks for your report!

Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0
  2016-12-30 23:52 ` LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0 Ludovic Courtès
@ 2020-11-16 17:56   ` Jonathan Brielmaier
  2020-11-18 16:54     ` Danny Milosavljevic
  0 siblings, 1 reply; 4+ messages in thread
From: Jonathan Brielmaier @ 2020-11-16 17:56 UTC (permalink / raw)
  To: 25305

We have now pretty good LUKS support, but I don't know if we support
this use case. I always have `/boot` encrypted as well...




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0
  2020-11-16 17:56   ` bug#25305: " Jonathan Brielmaier
@ 2020-11-18 16:54     ` Danny Milosavljevic
  2020-11-18 17:46       ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Danny Milosavljevic @ 2020-11-18 16:54 UTC (permalink / raw)
  To: Jonathan Brielmaier; +Cc: 25305

[-- Attachment #1: Type: text/plain, Size: 556 bytes --]

On Mon, 16 Nov 2020 18:56:56 +0100
Jonathan Brielmaier <jonathan.brielmaier@web.de> wrote:

> We have now pretty good LUKS support, but I don't know if we support
> this use case. I always have `/boot` encrypted as well...

Unencrypted /boot and encrypted / is necessary to be able to use Heads
(right now).

(It measures /boot in order to find out whether it has been tampered with or
not)

If you want to be able to boot on a Heads system, either Heads needs to be
modified to mount encrypted / , or there needs to be an unencrypted /boot.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0
  2020-11-18 16:54     ` Danny Milosavljevic
@ 2020-11-18 17:46       ` Ludovic Courtès
  0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2020-11-18 17:46 UTC (permalink / raw)
  To: Danny Milosavljevic; +Cc: 25305, Jonathan Brielmaier

Hi,

Danny Milosavljevic <dannym@scratchpost.org> skribis:

> (It measures /boot in order to find out whether it has been tampered with or
> not)

(Off-topic.) I’d be curious to see how much of this approach makes sense
in the context of immutable deployments like Guix does.

Ludo’.




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-11-18 17:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CAOXwz5_i2-dUVeFgNfXt07zazCq1SLz6V+WGC09JLRYzUgUDRA@mail.gmail.com>
2016-12-30 23:52 ` LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0 Ludovic Courtès
2020-11-16 17:56   ` bug#25305: " Jonathan Brielmaier
2020-11-18 16:54     ` Danny Milosavljevic
2020-11-18 17:46       ` Ludovic Courtès

unofficial mirror of bug-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git