From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:44947)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ipzZj-00079a-W8
 for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ipzZi-0006cQ-JF
 for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:49007)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ipzZi-0006bC-DZ
 for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ipzZi-0001kJ-AC
 for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:02 -0500
Subject: [bug#38826] Fwd: [bug #55093] Add LUKS2 support
Resent-Message-ID: <handler.38826.B38826.15786830256671@debbugs.gnu.org>
Date: Fri, 10 Jan 2020 13:03:22 -0600
From: David Trudgian <dave@trudgian.net>
Message-Id: <16f90d6f00f.e61facad831696.4328929059229895663@trudgian.net>
In-Reply-To: <87imljcodn.fsf@nckx>
References: <20181125-133249.sv131345.66349@savannah.gnu.org>
 <20190329-085821.sv141454.39342@savannah.gnu.org>
 <20190529-204303.sv92573.55917@savannah.gnu.org>
 <20191104-210711.sv164522.57380@savannah.gnu.org>
 <20191104-214103.sv131345.42463@savannah.gnu.org>
 <20200110-144908.sv131778.92274@savannah.gnu.org> <87imljcodn.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----=_Part_2681935_261380449.1578683002895"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 38826 <38826@debbugs.gnu.org>

------=_Part_2681935_261380449.1578683002895
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

>> Yay, this is implemented in
>> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3D365e0cc3e7e44151=
c14dd29514c2f870b49f9755
>
> I'll take a look later.=C2=A0 We'll see whether or not it would be pruden=
t
> to ship this as-is in Guix.


I had a look at this before, and the issue remaining is that the LUKS2
support in GRUB via this patch is not compatible with the default PBKDF
that is going to be used by cryptsetup when creating LUKS2 partitions.

Looking at `cryptsetup --help` on Guix or elsewhere will show that the
default LUKS2 PBKDF is argon2i. Unfortunately only pbkdf2 is supported by
this GRUB2 patch (it's the default PBKDF for LUKS1).

It's possible to create LUKS2 encrypted partitions using pbkdf2, but
this means they aren't using a PBKDF of the same strength that most
people expect from LUKS2 use elsewhere - in distros where an
unencrypted `/boot` is used to avoid the direct support in GRUB problem.

I'm not sure if this is a major concern or not here?

Have spent some of my morning writing up about encryption in Singularity
containers, which uses LUKS2... so this is a fun topic to see in my
mailbox right now :-)

Cheers,

DT
------=_Part_2681935_261380449.1578683002895
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>=
<meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"></h=
ead><body ><div style=3D"font-family: Verdana, Arial, Helvetica, sans-serif=
; font-size: 10pt;">&gt;&gt; Yay, this is implemented in<br>&gt;&gt; <a tar=
get=3D"_blank" href=3D"https://git.savannah.gnu.org/cgit/grub.git/commit/?i=
d=3D365e0cc3e7e44151c14dd29514c2f870b49f9755">https://git.savannah.gnu.org/=
cgit/grub.git/commit/?id=3D365e0cc3e7e44151c14dd29514c2f870b49f9755</a><br>=
&gt;<br>&gt; I'll take a look later.&nbsp; We'll see whether or not it woul=
d be prudent<br>&gt; to ship this as-is in Guix.<br><br><br>I had a look at=
 this before, and the issue remaining is that the LUKS2<br>support in GRUB =
via this patch is not compatible with the default PBKDF<br>that is going to=
 be used by cryptsetup when creating LUKS2 partitions.<br><br>Looking at `c=
ryptsetup --help` on Guix or elsewhere will show that the<br>default LUKS2 =
PBKDF is argon2i. Unfortunately only pbkdf2 is supported by<br>this GRUB2 p=
atch (it's the default PBKDF for LUKS1).<br><br>It's possible to create LUK=
S2 encrypted partitions using pbkdf2, but<br>this means they aren't using a=
 PBKDF of the same strength that most<br>people expect from LUKS2 use elsew=
here - in distros where an<br>unencrypted `/boot` is used to avoid the dire=
ct support in GRUB problem.<br><br>I'm not sure if this is a major concern =
or not here?<br><br>Have spent some of my morning writing up about encrypti=
on in Singularity<br>containers, which uses LUKS2... so this is a fun topic=
 to see in my<br>mailbox right now :-)<br><br>Cheers,<br><br>DT<br></div><b=
r></body></html>
------=_Part_2681935_261380449.1578683002895--