From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id IJ8fA8B4yWR5YwAASxT56A (envelope-from ) for ; Tue, 01 Aug 2023 23:27:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id GFdHA8B4yWQKBAEA9RJhRA (envelope-from ) for ; Tue, 01 Aug 2023 23:27:28 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9E86E48E78 for ; Tue, 1 Aug 2023 23:27:27 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=mPT5xRO9; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=OInteuhz; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1690925247; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=iU3ABYBEmA/uwLWpRIOkvTVDcO38ioBBFrLtGfYW1ms=; b=kinyIEk95B8fY94MgAKgAXLNg3sA2Ccq6Lerr/a5I8KVlt7vecGCGsIWmhyicr4UQvvFNS lj0UiwouzBbuOYpmQ/dONLvmB/IGJdqCK0BncArGY4hLZjjPjCqGM3xOtFHHZuMySaWYUI uGJN4qvkiUvt7/QUsPssNKxr/YHSNbNwBkdHqc6wo1b3h6/U4N0dFn4xTo5l00aO2az6+U K0P/Eeou+vETvVyGb3HqFXgLOT+FgtAwlDApBVLyFji9TCwsC9iIbInvqJ/CPsdspA0Nlh dkMStvs1V2kNxOfH4z1qQahB1WiONfN/ZOZvGQgEWd9xLVHudXADieHiSlcLog== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=mPT5xRO9; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=OInteuhz; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1690925247; a=rsa-sha256; cv=none; b=pPgwEOZuG20Mk7SeT4tLsgclfATdo3bfGS+ohwFTTc9Rm/wWOiLMBBFM6NQ3hrlnTEfLA/ E5g2KZgl+tryPei353jtucKm3kLtwT2o5a67mIo+TfH30ER9cBwaKuhpmBqRVl7gZ7gG8X wEvzFR7AqXJUm4C+zDsg7l88xK29yBQTdU3sk3fmhQUfX7rCQBW+CX3hu0Hb5HHEWkMHzq wDPuVkMSmlW7wyeZxgKSbgXi0EYMkiW5R7ptB6OB3EhfW1DXZ6g4hhkFFy73sGHMTEdhR/ gbhpSETLJ/8hnVwUFWdX6X85+bWKS39ZAyz+E+6UTRjZaapP9cfCc94k8YPMpQ== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qQwb6-0006ff-Ag; Tue, 01 Aug 2023 17:08:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwb4-0006fW-BE for guix-patches@gnu.org; Tue, 01 Aug 2023 17:08:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qQwb4-00018t-3V for guix-patches@gnu.org; Tue, 01 Aug 2023 17:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qQwb3-0002Ec-TZ for guix-patches@gnu.org; Tue, 01 Aug 2023 17:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 21:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16909240558548 (code B ref -1); Tue, 01 Aug 2023 21:08:01 +0000 Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 21:07:35 +0000 Received: from localhost ([127.0.0.1]:48385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwac-0002Do-Sl for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwaa-0002Dc-Uj for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwaV-0006Z9-Lr for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwaT-0008TP-GW for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 2DC992675D4; Tue, 1 Aug 2023 21:07:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924039; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=mPT5xRO9jVDmPcgzxQAiv2IzpfjLd6cBXktD6cC5J2vNuAIyQYyw9TEMdevjIN8Be 3HyaQu8/lBqDgMdcCBvvAe7hBoIkXGNuVuEH9tc5dZAnxRWciBQqDQpAilTvQL8kDB 8WEXEczPS8Zhdv+VIsOsA50gD5ziDPyp/ASGl1EwMcDoO7pEjZWh8KI7DsPNVFBfXV a3fAQg5Q2fZF/YskuXPyiHX5L7rolYkHhx11lCW5Zyiydf/AEN3VYvNN+ifW2MOmQH /cG20ASc03O9aKkksL/YwK0W62p+mY6RLtNAKiyhThtv/6blMI/6TThutf2ApmG8Zk XIoQsE8boOPRU8yVV5FnXpVWheBtf/1j4+0ffRi77bR2a6EsdIvUQ08my7xwIfpamR pP/6Y1WnEaOZv2d7hduyUNXfZgNlfVZQSkChTFHZbriSjs/EeIbClDHyJaHKLQ/kDQ lxFXjr87z09xso3+mRj0Gt8/e908ZiXFlJRM8i3OG6eHM/dM0OKK8fyc01pK6/rLWh KLq92OMqiDGDpmdF9c+rOUE3ZVw1eWlcLnoGA/W97CBfAkvI+IlS4yJBLGvHFUmGMJ 2P6Pp34Vf0HirzaggYeB63PLl8vaBTgFS9yrH5hS0nPGIuv3BL7dk06KkE1JJz1J++ ymu69CY1RT+Am4JlGx9v/Fgk= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 4F22C26A899; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924038; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=OInteuhz85CGr/x6zMzjQFPMQNicUjkbuxl+PMgcynoXpbTVZNnZUFB2hk+YmQS4k 5Be4DC7se65iSfN8SsSX3tFuZlgwQ6Rxtlpm5g0DAfdhT2mMRqNJmGXHTeickZxFdO esVslulx9fpp7YIOzet4iAm6sW7TtrwK/rxuezC+eNPDDqEfSlegs975UU0VAwl1jU gKG/HOmxDqcAP/MLW0Lk6mTHOOFOnFx8cnpHT1O8xdu51VLz97CxCMMzsCUP8A9ucR drOjVc6R7qnriYoua4p8406Ok5FTCS1kxHucXec0Rz/8WhIpB1hkkuSsS3e1Vtjt2l oP7KRe1doEQDTMBPoXLSn5Ibhrd/gbswThv9Pz0oyE9EgYUuPuuR0dxPTojgfIRnEw dctgOGJ94b4vfHvDtKgqsxKq3/reMLG39Se0Vlc1/awYJzhzM/CqsvMFxaw6XPMAPz Ywm9+DDLW8zwnhZiFFotZGMkMmTBLmw1w1oWTZVsRweRK2zSPuP74reDNvPKMrkooO 11PNtR+S2zYV7RzVhI6Wd79YLtA7q/LqQA8I5Rd2y3WO6xrGML01nIxeDtjaX36Njc XtuyhT5WXrpXgPdzbed3q+769rlXj08p5VgGGPjbic6fnOgNG7fzh+ZOCs8J7KMlHB hHKFYPy9FKh1d5mPwdcpgKR4= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id bf31de43; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) From: Tomas Volf Date: Tue, 1 Aug 2023 22:53:10 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -3.55 X-Spam-Score: -3.55 X-Migadu-Queue-Id: 9E86E48E78 X-Migadu-Scanner: mx1.migadu.com X-TUID: a+1oM0R14XnF When having an encrypted /boot, it is currently necessary to input a password twice, once for the /boot (so that grub can find its configuration) and later once more in order to actually unlock the / itself. It is not very user friendly and gets annoying quickly in more exotic setups. For example with / on RAID1 BTRFS, password needs to be entered 4 times. And even without that, for large encrypted arrays, password needs to be entered once per drive. The obvious solution to this is to just use --key-file option of the luksOpen command, however support for that was not implemented. This series adds that support. Another problem is where to store the key file, since it needs to be both present in the initrd, but it cannot be in the store (since that would make it world-readable, and you do not want that for an encryption key). Luckily for us, grub can load multiple initrds and merge them, so option to specify additional initrd (not from the store) is added as well. Since extlinux does not look like supporting encrypted /boot (and this new option should not be used for anything else), it was added only into into grub. Tomas Volf (2): mapped-devices: Allow unlocking by a key file gnu: bootloader: grub: Add support for loading an additional initrd doc/guix.texi | 32 +++++++++++++++++ gnu/bootloader.scm | 6 +++- gnu/bootloader/grub.scm | 6 ++-- gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 4 files changed, 83 insertions(+), 28 deletions(-) base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7 -- 2.41.0