From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:44947) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ipzZj-00079a-W8 for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ipzZi-0006cQ-JF for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:49007) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ipzZi-0006bC-DZ for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ipzZi-0001kJ-AC for guix-patches@gnu.org; Fri, 10 Jan 2020 14:04:02 -0500 Subject: [bug#38826] Fwd: [bug #55093] Add LUKS2 support Resent-Message-ID: Date: Fri, 10 Jan 2020 13:03:22 -0600 From: David Trudgian Message-Id: <16f90d6f00f.e61facad831696.4328929059229895663@trudgian.net> In-Reply-To: <87imljcodn.fsf@nckx> References: <20181125-133249.sv131345.66349@savannah.gnu.org> <20190329-085821.sv141454.39342@savannah.gnu.org> <20190529-204303.sv92573.55917@savannah.gnu.org> <20191104-210711.sv164522.57380@savannah.gnu.org> <20191104-214103.sv131345.42463@savannah.gnu.org> <20200110-144908.sv131778.92274@savannah.gnu.org> <87imljcodn.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_2681935_261380449.1578683002895" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Tobias Geerinckx-Rice Cc: 38826 <38826@debbugs.gnu.org> ------=_Part_2681935_261380449.1578683002895 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable >> Yay, this is implemented in >> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3D365e0cc3e7e44151= c14dd29514c2f870b49f9755 > > I'll take a look later.=C2=A0 We'll see whether or not it would be pruden= t > to ship this as-is in Guix. I had a look at this before, and the issue remaining is that the LUKS2 support in GRUB via this patch is not compatible with the default PBKDF that is going to be used by cryptsetup when creating LUKS2 partitions. Looking at `cryptsetup --help` on Guix or elsewhere will show that the default LUKS2 PBKDF is argon2i. Unfortunately only pbkdf2 is supported by this GRUB2 patch (it's the default PBKDF for LUKS1). It's possible to create LUKS2 encrypted partitions using pbkdf2, but this means they aren't using a PBKDF of the same strength that most people expect from LUKS2 use elsewhere - in distros where an unencrypted `/boot` is used to avoid the direct support in GRUB problem. I'm not sure if this is a major concern or not here? Have spent some of my morning writing up about encryption in Singularity containers, which uses LUKS2... so this is a fun topic to see in my mailbox right now :-) Cheers, DT ------=_Part_2681935_261380449.1578683002895 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
>> Yay, this is implemented in
>> https://git.savannah.gnu.org/= cgit/grub.git/commit/?id=3D365e0cc3e7e44151c14dd29514c2f870b49f9755
= >
> I'll take a look later.  We'll see whether or not it woul= d be prudent
> to ship this as-is in Guix.


I had a look at= this before, and the issue remaining is that the LUKS2
support in GRUB = via this patch is not compatible with the default PBKDF
that is going to= be used by cryptsetup when creating LUKS2 partitions.

Looking at `c= ryptsetup --help` on Guix or elsewhere will show that the
default LUKS2 = PBKDF is argon2i. Unfortunately only pbkdf2 is supported by
this GRUB2 p= atch (it's the default PBKDF for LUKS1).

It's possible to create LUK= S2 encrypted partitions using pbkdf2, but
this means they aren't using a= PBKDF of the same strength that most
people expect from LUKS2 use elsew= here - in distros where an
unencrypted `/boot` is used to avoid the dire= ct support in GRUB problem.

I'm not sure if this is a major concern = or not here?

Have spent some of my morning writing up about encrypti= on in Singularity
containers, which uses LUKS2... so this is a fun topic= to see in my
mailbox right now :-)

Cheers,

DT
------=_Part_2681935_261380449.1578683002895--