From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id qOMlEsnxlWKHwgAAbAwnHQ (envelope-from ) for ; Tue, 31 May 2022 12:45:29 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id mJMXEsnxlWJ7EAAA9RJhRA (envelope-from ) for ; Tue, 31 May 2022 12:45:29 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D806CA873 for ; Tue, 31 May 2022 12:45:28 +0200 (CEST) Received: from localhost ([::1]:53742 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nvzNP-0005B0-1E for larch@yhetil.org; Tue, 31 May 2022 06:45:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46758) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nvzN0-00058q-NK for bug-guix@gnu.org; Tue, 31 May 2022 06:45:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52846) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nvzN0-0004mY-Cd for bug-guix@gnu.org; Tue, 31 May 2022 06:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nvzN0-00012X-9x for bug-guix@gnu.org; Tue, 31 May 2022 06:45:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#55723: Full disk encryption with grub-efi and LUKS2 Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 31 May 2022 10:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55723 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Lars-Dominik Braun , 55723@debbugs.gnu.org Received: via spool by 55723-submit@debbugs.gnu.org id=B55723.16539938893962 (code B ref 55723); Tue, 31 May 2022 10:45:02 +0000 Received: (at 55723) by debbugs.gnu.org; 31 May 2022 10:44:49 +0000 Received: from localhost ([127.0.0.1]:46743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nvzMn-00011p-2d for submit@debbugs.gnu.org; Tue, 31 May 2022 06:44:49 -0400 Received: from jpoiret.xyz ([206.189.101.64]:36660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nvzMl-00011h-9U for 55723@debbugs.gnu.org; Tue, 31 May 2022 06:44:48 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 21475184D3D; Tue, 31 May 2022 10:44:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1653993884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=s1XK5Sehi0HVzaPShCv8ZDmB3Xxzyx/6AzhRx+9d+LQ=; b=EoEdo6Zo3g3jLiMiNt8po52TXb/d/wTz+phtma9zjys3y7279X0F4Gn9xlbinDd6b6yoKs U+0lqCrnL7Xq8abL8AvGYTbnHrZ7rBDUymLnQCiYS3gP9flbBShn9FWvp32g5utW/uXjRV HWnmRgRPbqvDCZndbSmLRfCagIliMpDNm+Ubt0WmZ3UNv3cE+IMZNNg2ejHUxHVLIeh5I5 u4i9t2qucV8ahCqLsgzSjE6hjgmFMC5L8qEGMBIsAgKAlQ5QkI9R5So7vmTvWaUHj/v0eq RCkUsDpN784bAgdBGUNu3GGaAjMLv4i2ZIgSJJpBRcXsOSgLuO6cMj3WzYny8Q== In-Reply-To: References: Date: Tue, 31 May 2022 12:44:43 +0200 Message-ID: <87fskqgew4.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: Josselin Poiret From: Josselin Poiret via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1653993929; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=s1XK5Sehi0HVzaPShCv8ZDmB3Xxzyx/6AzhRx+9d+LQ=; b=i5i8909L5o/W4aAjqD63VHjmOAnh8pr9w4RoFFUjAsK2p60KaQffGcf7+i4c5NRUIWmtAm 8wAfKGiJp2cbPP9vQne8XBQO6FQjFwd77KbgiP/73/B4f6mez7uKpE3Itvw22g2x+Qnv72 V1BEO6l5Chw87kVBq5E2SOMunTL/m189ZnnKhkBRVHEJev7g9zNlfzTX2EWM4qKM1CllQX ESF1A577dXmtn95SeOnumSWaLz5bqAs/5HT46TEjjFjNzOqrgknPnT7uzo7AaJ3qeDJRPK cOpDMs6jqo5oEO2Wo5aepQQ57GXbD67Sxe5tHOdkWYWNjLkNhxn73BNApsoJTA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1653993929; a=rsa-sha256; cv=none; b=TT/8RP/HAAx94yP3NWwuYWh5LhRA1K7jy8imPx9L3h4LAXeCdQcEvfUHZ3dhjmujy0WaSN ppN7uomrjvI0VlHFJOenBl1is5Qg5PIfr+2At6jUdSNG0tZSwYJbn8mqbuDdmSXuueQFKN B2ZdSE1qh7gMM0arU+hgp/eyUre9Ajj8CUFsgPeuBaDLw4gSv2+BjXA0JeG9/qq6nIgIeC 3OMFjl5xchsBbSYEU7Jv0NEAkUXFWeQYiKIzuD4GsHNyQoBcuOHBXJ2hFBB2G+EyChar6X EsBZbwXu9/Sie+a+SNM+0dKLijKa76h4eGYbEg/Ye4WRRZyJl96ecyZLQEsApA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=EoEdo6Zo; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.53 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=EoEdo6Zo; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: D806CA873 X-Spam-Score: -3.53 X-Migadu-Scanner: scn1.migadu.com X-TUID: 00bZ3znt7m9O Hello Lars, Lars-Dominik Braun writes: > Hi, > > I followed the manual to manually install Guix with full disk encryption > using LUKS2 and PBKDF2. However this leaves me with an unbootable system, > stuck at Grub=E2=80=99s rescue prompt, because `grub-install` apparently = does > not know how to detect a LUKS2 target and therefore does not include > the modules required to open the encrypted volume in the EFI image. See > [1]. > > I managed to manually create a core.img with the help of ArchLinux=E2=80= =99 > Wiki[2] (see also [3]), boot into the system and reconfigure with a > modified bootloader: > > [...] > > Supposedly there are also patches for grub-mkimage, but maybe we can > include a workaround like the above by default until then or remove the > section about LUKS2 entirely? Thank you for posting this bug and sorry for taking so long with this. I'd suggest that we instead add a warning that `/boot/` must be unencrypted for LUKS2+GRUB to work for now, possibly pointing to this bug. Let me explain the whole situation so that we have good summary of the LUKS2+GRUB situation: * GRUB the bootloader itself supports unlocking LUKS2 cryptodisks, with its `luks2` module, that we load via `insmod luks2` in the grub.cfg. It doesn't contain support for Argon2i yet, so only the PBKDF2 key derivation function can be used, which is unfortunately not the default for cryptsetup. * Now, while the `luks2` module lets you unlock your disk, you have the usual chicken-and-egg problem: GRUB modules are stored in /boot/grub/. If this resides on a LUKS2 drive, then you'd be out of luck! However, this is a common issue with bootloaders, and GRUB allows embedding modules inside its own image, so that some modules are preloaded. You can either create the image manually using grub-mkimage, or grub-install can take care of it for you, by detecting which modules should be embedded using a user-space version of GRUB. This is where the LUKS2 support isn't finished yet: the userspace utilities don't recognize LUKS2, and will thus not try to include luks2 and friends if /boot/grub/ is on such a device. The crux of the issue is that when running in user-space, GRUB cheats by "pretending" to mount the device itself (called cheatmounting), and actually relays all reads to the underlying dm-crypt device! For LUKS1, this works well, but LUKS2 can have multiple keyslots and data segments, each with different algorithms, and since we don't know which keyslot was used to unlock the device, we won't know which GRUB crypto modules to include. My approach at [1] is to ask device-mapper directly, but there are also other patches trying various other methods, and the consensus now seems to be that each patch does one thing well and that we should combine all of the good parts. In any case, I can send a documentation patch to warn about the current situation later today. [1] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00076.html Best, --=20 Josselin Poiret