From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YAHoBrhk11++EwAA0tVLHw (envelope-from ) for ; Mon, 14 Dec 2020 13:12:24 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 4HfNArhk118XXgAA1q6Kng (envelope-from ) for ; Mon, 14 Dec 2020 13:12:24 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6E24C9402D6 for ; Mon, 14 Dec 2020 13:12:23 +0000 (UTC) Received: from localhost ([::1]:50000 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1koneI-00049R-Bo for larch@yhetil.org; Mon, 14 Dec 2020 08:12:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53408) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kondy-00047z-FR for bug-guix@gnu.org; Mon, 14 Dec 2020 08:12:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:40005) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kondy-0005rQ-7P for bug-guix@gnu.org; Mon, 14 Dec 2020 08:12:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kondy-0005Gh-2E for bug-guix@gnu.org; Mon, 14 Dec 2020 08:12:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#25305: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 14 Dec 2020 13:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 25305 X-GNU-PR-Package: guix X-GNU-PR-Keywords: patch To: Miguel =?UTF-8?Q?=C3=81ngel?= Arruga Vivas Received: via spool by 25305-submit@debbugs.gnu.org id=B25305.160795150820229 (code B ref 25305); Mon, 14 Dec 2020 13:12:02 +0000 Received: (at 25305) by debbugs.gnu.org; 14 Dec 2020 13:11:48 +0000 Received: from localhost ([127.0.0.1]:51551 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kondj-0005G7-Jo for submit@debbugs.gnu.org; Mon, 14 Dec 2020 08:11:48 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kondh-0005Fp-LG; Mon, 14 Dec 2020 08:11:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51901) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kondc-0005nv-Ff; Mon, 14 Dec 2020 08:11:40 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40338 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kondb-0007ym-Fg; Mon, 14 Dec 2020 08:11:39 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> Date: Mon, 14 Dec 2020 14:11:37 +0100 In-Reply-To: <87ft5ym3ic.fsf@gmail.com> ("Miguel =?UTF-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Wed, 28 Oct 2020 22:42:19 +0100") Message-ID: <87k0tksfau.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 25305@debbugs.gnu.org, Mathieu Othacehe , 37851@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.81 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 6E24C9402D6 X-Spam-Score: -2.81 X-Migadu-Scanner: scn0.migadu.com X-TUID: 5cJ14NC6xe9Y Hi Miguel, Miguel =C3=81ngel Arruga Vivas skribis: >>>From 52993db19da43699ea96ea16ebb051b9652934f9 Mon Sep 17 00:00:00 2001 > From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D > > Date: Sun, 25 Oct 2020 16:31:17 +0100 > Subject: [PATCH v4 5/5] system: Allow separated /boot and encrypted root. > > * gnu/bootloader/grub.scm (grub-configuration-file): New parameter > store-crypto-devices. > [crypto-devices]: New helper function. > [builder]: Use crypto-devices. > * gnu/machine/ssh.scm (roll-back-managed-host): Use > boot-parameters-store-crypto-devices to provide its contents to the > bootloader configuration generation process. > * gnu/tests/install.scm (%encrypted-root-not-boot-os, > %encrypted-root-not-boot-os): New os declaration. > (%encrypted-root-not-boot-installation-script): New script, whose contents > were initially taken from %encrypted-root-installation-script. > (%test-encrypted-root-not-boot-os): New test. > * gnu/system.scm (define-module): Export > operating-system-bootoader-crypto-devices and > boot-parameters-store-crypto-devices. > (): Add field store-crypto-devices. > (read-boot-parameters): Parse store-crypto-devices field. > [uuid-sexp->uuid]: New helper function extracted from > device-sexp->device. > (operating-system-bootloader-crypto-devices): New function. > (operating-system-bootcfg): Use > operating-system-bootloader-crypto-devices to provide its contents to > the bootloader configuration generation process. > (operating-system-boot-parameters): Add store-crypto-devices to the > generated boot-parameters. > (operating-system-boot-parameters-file): Likewise to the file with > the serialized structure. > * guix/scripts/system.scm (reinstall-bootloader): Use > boot-parameters-store-crypto-devices to provide its contents to the > bootloader configuration generation process. > * tests/boot-parameters.scm (%default-store-crypto-devices): New > variable. > (%grub-boot-parameters, test-read-boot-parameters): Use > %default-store-crypto-devices. > (tests store-crypto-devices): New tests. > --- > gnu/bootloader/grub.scm | 21 +++++++- > gnu/machine/ssh.scm | 3 ++ > gnu/system.scm | 57 ++++++++++++++++++++- > gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ > guix/scripts/system.scm | 2 + > tests/boot-parameters.scm | 29 ++++++++++- > 6 files changed, 210 insertions(+), 5 deletions(-) Woohoo! > --- a/gnu/bootloader/grub.scm > +++ b/gnu/bootloader/grub.scm > @@ -4,7 +4,7 @@ > ;;; Copyright =C2=A9 2017 Leo Famulari > ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe > ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen > -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas > +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas > ;;; Copyright =C2=A9 2020 Maxim Cournoyer > ;;; Copyright =C2=A9 2020 Stefan > ;;; > @@ -360,11 +360,14 @@ code." > (locale #f) > (system (%current-system)) > (old-entries '()) > + (store-crypto-devices '()) > store-directory-prefix) > "Return the GRUB configuration file corresponding to CONFIG, a > object, and where the store is available at > STORE-FS, a object. OLD-ENTRIES is taken to be a list of = menu > entries corresponding to old generations of the system. > +STORE-CRYPTO-DEVICES contain the UUIDs of the encrypted units that must > +be unlocked to access the store contents. > STORE-DIRECTORY-PREFIX may be used to specify a store prefix, as is requ= ired > when booting a root file system on a Btrfs subvolume." > (define all-entries > @@ -412,6 +415,21 @@ menuentry ~s { > (string-join (map string-join '#$modules) > "\n module " 'prefix)))))) >=20=20 > + (define (crypto-devices) > + (define (crypto-device->cryptomount dev) > + (if (uuid? dev) > + #~(format port "cryptomount -u ~a~%" > + ;; cryptomount only accepts UUID without the hypen. > + #$(string-delete #\- (uuid->string dev))) > + ;; Other type of devices aren't implemented. > + #~())) > + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) > + ;; XXX: Add luks2 when grub 2.06 is packaged. > + (modules #~(format port "insmod luks~%"))) > + (if (null? devices) > + devices > + (cons modules devices)))) What I don=E2=80=99t get is why we=E2=80=99re able to use an encrypted root= right now without emitting =E2=80=9Ccryptomount=E2=80=9D GRUB commands? > + (store-crypto-devices > + (match (assq 'store rest) > + (('store . store-data) > + (match (assq 'crypto-devices store-data) > + (('crypto-devices devices) > + (if (list? devices) > + (map uuid-sexp->uuid devices) > + (begin > + (warning (G_ "unrecognized crypto-device ~S at '~a'~%= ") > + devices (port-filename port)) > + '()))) You could avoid =E2=80=98if=E2=80=99 by having clauses like: (('crypto-devices (devices ...)) ;; =E2=80=A6 ) (('crypto-devices _) (warning =E2=80=A6) '()) (_ '()) > + (_ > + ;; No crypto-devices found > + '()))) > + (_ > + ;; No store found, old format. > + '()))) s/No store found/No crypto devices found/ ? > +(define (operating-system-bootloader-crypto-devices os) > + "Return the subset of mapped devices that the bootloader must open. > +Only devices specified by uuid are supported." > + (map mapped-device-source > + (filter (match-lambda > + ((and (=3D mapped-device-type type) > + (=3D mapped-device-source source)) > + (and (eq? luks-device-mapping type) > + (or (uuid? source) > + (begin > + (warning (G_ "\ > +mapped-device '~a' won't be mounted by the bootloader.~%") > + source) > + #f))))) > + ;; XXX: Ordering is important, we trust the returned one. > + (operating-system-boot-mapped-devices os)))) You can use =E2=80=98filter-map=E2=80=99 here. The rest LGTM! Make sure the =E2=80=9Cinstalled-os=E2=80=9D and =E2=80=9Ce= ncrypted-root-os=E2=80=9D system tests are still fine, and if they are, I guess you can go ahead. Thanks! Ludo=E2=80=99.