From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms8.migadu.com with LMTPS
	id AN6MIfNoc2U/+QAAauVa8A:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 08 Dec 2023 20:05:23 +0100
Received: from aspmx1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id AN6MIfNoc2U/+QAAauVa8A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 08 Dec 2023 20:05:23 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 74A2C11D38
	for <larch@yhetil.org>; Fri,  8 Dec 2023 20:05:23 +0100 (CET)
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=HGnPzXqN;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=quarantine) header.from=protonmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1702062323;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=+sAakcwxBE8V6EDLKNGML002SFvjloPx2PPiDLY8uS8=;
	b=WUtZR/kr7jzm793bLSVy1+AvRrhcXOUiLviO1kSmG+owLJLlEazFE1t2RmJz+h8RES8Ipt
	Gewv0ORMbRmftHNrpbKdqsEyAjOmrVAfYPl4k46qolCOrd1Z48amQtw56dIKooGRSv5q16
	JH3zqhNpOMnXhGV3zD5b9l57ULqiUCwJw8VzJIvozSdqllyX8mnq77zXmrTmxx9Tr2Ln4U
	js7a89yEPp0XRC+gPDo1S33jm1Qw6VtG7Wq87l8f0OctsL1t1hdQmR7IVBVm6kRLieRT7u
	xdq4QvA0W41tuuWDDBPkmbKoubW06KZOnX2HMd6KL7sQNy5R+Fk9UdsUUVJRkg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=HGnPzXqN;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=quarantine) header.from=protonmail.com
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1702062323; a=rsa-sha256; cv=none;
	b=JjBpeeNJ1OsbKd/37V12+DKuA6kIdoJG+T+5DnKevIidzRO7BFSRiNwR7/yIclopP7iaSD
	7OH598ziMNgr7g0UIRqEI9K+NyQ76CHXkNujWWUlsGoviOGSQaFtxasWZ+ahB1ZRttgCVd
	aOp0meiCPlovl5sNFGcvJOyFo2ETNUkbvX0Re4+vke4QpxpbYmJqVKQ3qih0wgf7ko3znd
	czGlHc47wSU5JXl4OX2jpEqejS7hytKNK0GleN+KBFfl0z906Qak1TVZ8VNrO0R4p4LIWD
	Ynt/rzyIKCWnMsyKnP1TlIGoC7ZpeMfV2XhRnhG5J5LkB6EBZN1eFg+cdHIMQQ==
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rBg9b-0007WX-PD; Fri, 08 Dec 2023 14:04:51 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kaelyn.alexi@protonmail.com>)
 id 1rBg9Y-0007WG-3p
 for guix-devel@gnu.org; Fri, 08 Dec 2023 14:04:49 -0500
Received: from mail-40134.protonmail.ch ([185.70.40.134])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kaelyn.alexi@protonmail.com>)
 id 1rBg9V-00025M-Br
 for guix-devel@gnu.org; Fri, 08 Dec 2023 14:04:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1702062279; x=1702321479;
 bh=+sAakcwxBE8V6EDLKNGML002SFvjloPx2PPiDLY8uS8=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=HGnPzXqNmG3+xv6RKh/Y7FN84qasQUm/Kf1caPimJ5thXe8fbQ6wf3dJyLF6VdtoC
 mseRedPVkNYnwjKdXpZ2CLRYjb5TBaye66R1noFvUX0YbF95SbvKLYcGOg5yDvmDy7
 ENISXmRe3iUqnXlwB3ooF/ZjsX3b94xUxlhCpCpL3JJsc1hl2Lr5NHAsEIzZTNC0VC
 D5p2WEpBMbqytk9YlesOL1ZPIONdT1OQ1XtcE2AxJmSptBoxPmc4sQysgEk3g1csIC
 PUsgB0aMFgHgo8PkYFa+2GWX35YOBvmxk9403qRihltqhxuWcfkeGbR4vQ5Jdv7dDx
 mONXwQpjCaUoQ==
Date: Fri, 08 Dec 2023 19:04:20 +0000
To: Giovanni Biscuolo <g@xelera.eu>
From: Kaelyn <kaelyn.alexi@protonmail.com>
Cc: guix-devel@gnu.org
Subject: Re: problems installing on LUKS2 encrypted device
Message-ID: <ytQaJVaEWAiSax3KewwEmZ6hBylgDE9vWEsq4_DYRV7Y4RhdlbkXYDXvA5YcnX6gIcFwmMRyTvNMGp9JKIGNJsSiaTeTp30pBnKo6spdS7Q=@protonmail.com>
In-Reply-To: <87il58a99j.fsf@xelera.eu>
References: <87il58a99j.fsf@xelera.eu>
Feedback-ID: 34709329:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=185.70.40.134;
 envelope-from=kaelyn.alexi@protonmail.com; helo=mail-40134.protonmail.ch
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -9.56
X-Spam-Score: -9.56
X-Migadu-Queue-Id: 74A2C11D38
X-Migadu-Scanner: mx10.migadu.com
X-TUID: cw1K4WPXNBw2

Hi Gio,

On Friday, December 8th, 2023 at 9:34 AM, Giovanni Biscuolo <g@xelera.eu> w=
rote:

>=20
> Hello,
>=20
> I've noticed that the last released system installer [1], when using the
> guided install workflow, is using a LUKS1 encryption; since I would like
> to install on a LUKS2 encrypted root filesystem I tried to "manually"
> install following the instructions in the manual [2].
>=20
> When using a LUKS2 encryption format [3], completing the installation
> and rebooting, I get an error from Grub: it cannot find the encrypted
> volume, it's trying to open the /unencrypted/ volume instead (via UUID),
> child of the LUKS2 encrypted one.
>=20
> If I just change the type of encryption to "luks1" in [3], the booting
> of the installed machine works as expected.
>=20
> Since I know that the LUKS2 support in Grub was not available when Guix
> 1.4 was released, I also tried to "guix pull && hash guix" /before/
> installing with "guix system init /mnt/etc/config.scm /mnt", but the
> error was the same.
>=20
> I still have not tried to build an updated system installation image to
> see if it is working.
>=20
> Since the (stable) manual provides instructions on how to install Guix
> System on a LUKS2 encrypted partition [4], I'd like to understand if I'm
> doing something wrong or there is a bug, at least in the manual.

About halfway through the email, your use of LUKS2 with Grub was tickling m=
y brain about what I remembered reading regarding Grub's LUKS2 support bein=
g limited. While searching for references for that--and subsequently seeing=
 that you were already using PBKDF2--I came across https://savannah.gnu.org=
/bugs/?55093 which seems to hold the answer. According to the newest commen=
t, Grub 2.06 has a seemingly-undocumented additional requirement for workin=
g with LUKS2 of needing to use sha256 as the keyslot hash.

Additionally, https://wiki.archlinux.org/title/GRUB#LUKS2 suggests that Gru=
b 2.06 requires manually creating an EFI binary using grub-mkimage (with gr=
ub-install once again being sufficient in 2.12rc1), though I don't know if =
the Guix bootloader machinery addresses that shortcoming or not.

Please take the above with a grain of salt, as I have only ever used LUKS1 =
with Grub (and I've recently started moving away from Grub). HTH!

Cheers,
Kaelyn

> I'm attaching the script I'm using for the "manual" installation: if I
> set "luks2" in the "cryptsetup luksFormat..." command /and/ uncomment
> the "guix pull && hash guix" commands, the installation provides an
> unbootable system.
>=20
> Sorry for the "short story made long" but my script it's a proof of
> concept to allow installing a Guix System starting from any (recent)
> rescue system (tested only with a Guix install image and a systemd
> rescue system, grml), that's why is so "long":
>=20
>=20
>=20
> Thanks! Gio'
>=20
> [1] https://ftp.gnu.org/gnu/guix/guix-system-install-1.4.0.<arch>-linux.i=
so
>=20
>=20
> [2] https://guix.gnu.org/en/manual/en/html_node/Manual-Installation.html
>=20
> [3] cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sdaX
>=20
> [4] https://guix.gnu.org/en/manual/en/html_node/Keyboard-Layout-and-Netwo=
rking-and-Partitioning.html
>=20
> --
> Giovanni Biscuolo
>=20
> Xelera IT Infrastructures