From mboxrd@z Thu Jan 1 00:00:00 1970 From: Benjamin Slade Subject: Re: LUKS-encrypted root and unencrypted /boot ? Date: Sat, 04 Aug 2018 09:30:12 -0600 Message-ID: <87effef8u3.fsf@jnanam.net> References: <87in4tgbg4.fsf@jnanam.net> <87effh8d94.fsf@lassieur.org> <87a7q3fkji.fsf@jnanam.net> <878t5n8eob.fsf@lassieur.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55072) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1flyVY-0008OG-OP for help-guix@gnu.org; Sat, 04 Aug 2018 11:30:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1flyVU-0003By-NI for help-guix@gnu.org; Sat, 04 Aug 2018 11:30:20 -0400 Received: from mail-it0-x242.google.com ([2607:f8b0:4001:c0b::242]:53940) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1flyVU-0003Bs-H8 for help-guix@gnu.org; Sat, 04 Aug 2018 11:30:16 -0400 Received: by mail-it0-x242.google.com with SMTP id 72-v6so12157242itw.3 for ; Sat, 04 Aug 2018 08:30:16 -0700 (PDT) In-reply-to: <878t5n8eob.fsf@lassieur.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: =?utf-8?Q?Cl=C3=A9ment?= Lassieur Cc: help-guix@gnu.org Thanks, Cl=C3=A9ment. > > > Do you use Libreboot? > > > > Yes, I'm using Libreboot. Does this make a great difference over the > > manufacturer firmware in this case? > It might, because the GRUB used is the one shipped with Libreboot. > So it has nothing to do with Guix. I think talking to the libreboot > people would help you more. (Disclaimer: I have the same issue, I > find that pressing 'c' and typing 'cryptomount ahci0,gpt3' makes the > process faster.) Thanks, I'll look into that. For the moment I've just switched to having an unencrypted root and encrypted /home partition (where the swapfile also lives), which seems to me better from a security standpoint (I can use --iter 500, sha512, &c. without an issue). > > > I'm unsure [using an unencrypted /boot] would help, because GRUB > > > would still have to unencrypt / to access the kernel (the kernel > > > is in /gnu/store). > > > > Ah, I see. Is this an immutable design decision? It would seem > > good to be able to keep the kernel in a separate space in order to > > avoid the issue of extremely long unlocking times when booting. > Nothing is immutable, but it's a strong design decision that all > packages data are put in /gnu/store. Linux is just one of them. > Plus, a characteristic of GuixSD is that you can revert to previous > configurations. Those configurations appear as GRUB lines. Each > configuration could have a different kernel and kernels take space, > so it wouldn't scale well. Plus, I think some other stuff is needed > as well, like the initrd, which is large too, etc. I mused briefly about mirroring of the relevant things (kernels, initrd) from /gnu/store to /boot, but that's probably pretty hack-y. -- Benjamin Slade - https://babbagefiles.xyz `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19)) '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org ) `(Choose Linux ,(Choose Freedom) . https://linux.com )