From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#21843: Generated grub.cfg does not support encrypted roots Date: Thu, 10 Mar 2016 10:17:46 +0100 Message-ID: <8760wuy9mt.fsf@gnu.org> References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50593) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1adwjN-0004SN-1L for bug-guix@gnu.org; Thu, 10 Mar 2016 04:18:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1adwjK-0004w8-84 for bug-guix@gnu.org; Thu, 10 Mar 2016 04:18:04 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:45120) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1adwjK-0004vy-4h for bug-guix@gnu.org; Thu, 10 Mar 2016 04:18:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1adwjJ-0007F9-VD for bug-guix@gnu.org; Thu, 10 Mar 2016 04:18:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20160308193309.GA2251@solar> (Andreas Enge's message of "Tue, 8 Mar 2016 20:33:09 +0100") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Andreas Enge Cc: 21843@debbugs.gnu.org Andreas Enge skribis: > What is needed are the following two lines at the beginning of grub.cfg: > > insmod luks > cryptomount -u 1aa... > > where 1aa... is the result of "cryptsetup luksUUID /dev/sda2". > > So the logic outlined in my previous message works: > Determine the mapped-devices /dev/sdXY of type luks-device-mapping that > lead to a file-system with needed-for-boot? set to #t. > Using > cryptsetup luksUUID /dev/sdXY > determine a corresponding uuid 12345...0. > If any such mapped-device exists, add > insmod luks > as the first line of grub.cfg. For any such mapped-device, add a line > cryptomount -u 12345...0 > right after that. IIUC we don=E2=80=99t *have* to pass the UUID to =E2=80=98cryptomount=E2=80= =99; we could also pass the device name, in GRUB format, which would allow us to use the same strategy as in =E2=80=98grub-root-search=E2=80=99 in (gnu system grub)= =E2=80=A6 with the difficulty that we=E2=80=99d have to be able to map Linux /dev node names to GRUB device names. Furthermore, to allow users to specify a LUKS UUID as the =E2=80=98source= =E2=80=99 of their =E2=80=98mapped-device=E2=80=99 form, as in: (mapped-device (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID (target "root") (type luks-device-mapping)) we=E2=80=99d have to extend with a method to resolve U= UIDs (in this case, to map a UUID to a /dev node.) Thoughts? Looks like more work than I initially thought. Besides, I think we should only worry about the mapped device(s) that back / and /boot, rather than any mapped device, no? Thanks for looking into it, Ludo=E2=80=99.