From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id EIdTLifJ314eRgAA0tVLHw (envelope-from ) for ; Tue, 09 Jun 2020 17:38:47 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id CDdBKifJ315cHgAAB5/wlQ (envelope-from ) for ; Tue, 09 Jun 2020 17:38:47 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 407A594042C for ; Tue, 9 Jun 2020 17:38:47 +0000 (UTC) Received: from localhost ([::1]:39158 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jiiD0-0005Q8-2v for larch@yhetil.org; Tue, 09 Jun 2020 13:38:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53194) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jihsM-0000wX-BX for guix-devel@gnu.org; Tue, 09 Jun 2020 13:17:26 -0400 Received: from relay9-d.mail.gandi.net ([217.70.183.199]:45195) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jihsK-0001FP-Kp for guix-devel@gnu.org; Tue, 09 Jun 2020 13:17:25 -0400 X-Originating-IP: 92.169.129.147 Received: from bababa (lfbn-idf2-1-1315-147.w92-169.abo.wanadoo.fr [92.169.129.147]) (Authenticated sender: mail@ambrevar.xyz) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 3A81AFF80D for ; Tue, 9 Jun 2020 17:17:20 +0000 (UTC) From: Pierre Neidhardt To: guix-devel@gnu.org Subject: Single password prompt with encrypted partition, Part II: Unencrypted /boot Date: Tue, 09 Jun 2020 19:17:20 +0200 Message-ID: <87d068f9b3.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=217.70.183.199; envelope-from=mail@ambrevar.xyz; helo=relay9-d.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/09 13:17:21 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: 0.89 X-TUID: N43QjaFoONop --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi! This is a follow-up to https://lists.gnu.org/archive/html/guix-devel/2020-04/msg00017.html. I'm actually trying to set up a system that asks for the password once. I've opted for the unencrypted /boot partition strategy. The following does not work: =2D-8<---------------cut here---------------start------------->8--- (define drive-mapping (list (mapped-device ;; The UUID is that returned by 'cryptsetup luksUUID'. (source (uuid "b29cb68b-b154-4228-a131-34e9c474b0bd"))=20 (target "guix") (type luks-device-mapping)))) (define root-partition (file-system (device (file-system-label "guix")) (mount-point "/") (type "btrfs") (options "subvol=3Drootfs,compress=3Dzstd") (dependencies drive-mapping))) (operating-system ;; ... (file-systems (cons* root-partition (file-system (device (file-system-label "boot")) (mount-point "/boot") (type "ext4") ;; (needed-for-boot? #t) ;; (dependencies (list root-partition)) ) (file-system (device (uuid "4E30-891F" 'fat)) (mount-point "/boot/efi") (type "vfat")) %base-file-systems)) =2D-8<---------------cut here---------------end--------------->8--- GRUB starts without prompting for password (success!) but without theme (oops!) and then it's unable to boot the Guix entry, complaining it cannot find the "guix" partition. If I remove the "boot" file system entry, then run "guix system init ..." w= ithout mounting "boot", it works. I tried with the =2D-8<---------------cut here---------------start------------->8--- (dependencies (list root-partition)) =2D-8<---------------cut here---------------end--------------->8--- but then the image does not even build, complaining =2D-8<---------------cut here---------------start------------->8--- guix system: error: service 'file-system-/boot' requires 'file-system-/', w= hich is not provided by any service =2D-8<---------------cut here---------------end--------------->8--- I haven't tried 'needed-for-boot?' field, maybe it could help here. The generated /boot/grub/grub.cfg does not have any encryption-related lines (as in https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#C= onfiguring_the_boot_loader for instance). Does our GRUB generation support unlocking LUKS partitions that are not the same as the one where GRUB is installed? Any idea? =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7fxCAACgkQm9z0l6S7 zH/xCwgAjfMNhSE0IQkR8UMFDYIjWEg63r5sGjJUSEbj/N93JFXU1eF/uN9IFgDo D0agUGMKofoxqOejs6XF8c0mo8Ww38y1qilc3YN8mLqt2z+8uWIwwdf77D/DZsv1 VTTYmbiD+LcGZyvTJ8kLta1TFrtzaIP/Me72kajNe7AHQ5v48frI0aMmQrhkB3l5 dZdmn/L860Y7SYHCNac/ABHa/tsDdg+F4Whpad0o/BM+NaIpYZH2qSDMmnBiLtJ9 io1QgIo3P7OXg3XhPmq2NoAuAtNw3VTk4P7j94wfxorMNCMZpVlurXoTVkiA1I72 wakDGORGBTVIW8keo+nxjYFT3TjHWw== =zEIU -----END PGP SIGNATURE----- --=-=-=--