all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Andreas Enge <andreas@enge.fr>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 21843@debbugs.gnu.org
Subject: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Tue, 8 Mar 2016 20:21:04 +0100	[thread overview]
Message-ID: <20160308192104.GA22722@solar> (raw)
In-Reply-To: <87twozi0ql.fsf@gnu.org>

I tried the installation with unencrypted /boot, encrypted / using the
following snippet in the configuration file:
  (bootloader (grub-configuration (device "/dev/sda")))
  (mapped-devices (list (mapped-device
                         (source "/dev/sda2")
                         (target "root")
                         (type luks-device-mapping))))
  (file-systems (cons* (file-system
                        (device "/dev/mapper/root")
                        (title 'device)
                        (mount-point "/")
                        (type "ext4")
                        (needed-for-boot? #t))
                       (file-system
                         (device "boot")
                         (title 'label)
                         (mount-point "/boot")
                         (type "ext4")
                         (needed-for-boot? #t))
                       %base-file-systems))

Grub did not start, as it did not find the kernel etc. in /gnu/store.

So I typed "c" at the grub menu (in text mode without the splash screen,
which also resides in /gnu/store), and issued the following two commands:
  insmod luks
  cryptomount hd0,msdos2

This prompted me for the password a first time. The "insmod cryptodisk" was
not necessary. There was a new device called "(crypto0)" now; "ls (crypto0)/"
showed, among others, the /gnu directory.

Now I still needed to define the kernel; running "boot" was not enough.

I executed
  configfile (hd0,msdos1)/grub/grub.cfg
and now obtained the normal grub menu (with the splash screen) and could now
boot as usual. I was prompted a second time for the password.
According to the grub.cfg, grub searches for the kernel by file name and
uses the device where it is found automatically as root. So the second time
it must also have searched (crypto0).


This can be automated; I just added the two lines
  insmod luks
  cryptomount hd0,msdos2
to the top of grub.cfg, and the next time everything worked out of the box
(with two password prompts: the first one in text mode before grub was visibly
started, then the grub splash screen appeared, then during the normal boot).

The only difficulty here is the mapping between the mapped-device /dev/sda2
and the grub device hd0,msdos2. We would need to determine this automatically
when creating the grub.cfg during the call to "guix system init".


Maybe UUIDs can help. The command
   crytsetup luksUUID /dev/sda2
returns a hex string with dashes, in my case 1aa...-...
This could be run during "guix system init" with the source field of
mapped-device.
The grub manual at:
  https://www.gnu.org/software/grub/manual/html_node/Device-syntax.html#Device-syntax
mentions a device syntax such as
  (cryptouuid/123456789abcdef0123456789abcdef0)
I tried replacing
  cryptomount hd0,msdos2
by
  cryptomount cryptouuid/1aa...
(without the dashes), but this did not work.
The strange thing is that grub somehow knows this uuid; when I type
   cryptomount hd0,msdos2
I am presented with the prompt
   Enter passphrase for hd0,msdos2 (1aa...):

So I am stuck here.


A first tentative solution would be to look for mapped-devices of type
luks-device-mapping that correspond to file-systems with needed-for-boot?
set to #t, and then add the corresponding "cryptomount" lines to grub.cfg,
with the obvious mapping sda->hd0, sdb->hd1,..., and 1->msdos1, 2->msdos2
and so on.

This would not be perfect, but at least better than what we have now.

And the line "insmod luks" could be added unconditionally (or only in the
presence of a mapped-device of type luks-device-mapping).

Andreas

  reply	other threads:[~2016-03-08 19:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-06 15:52 bug#21843: Generated grub.cfg does not support encrypted roots Ludovic Courtès
2016-03-08 19:21 ` Andreas Enge [this message]
2016-03-08 19:33   ` Andreas Enge
2016-03-10  9:17     ` Ludovic Courtès
2016-03-10  9:48       ` Andreas Enge
2016-03-11  8:45         ` Ludovic Courtès
2016-03-16 20:40       ` Andreas Enge
2016-03-17 13:14         ` Andreas Enge
2016-04-17 23:29       ` Ludovic Courtès
2016-04-27 20:58     ` Ludovic Courtès
2016-05-01 22:07       ` Ludovic Courtès
2016-10-26  6:56         ` Christopher Baines
2016-11-23 20:21           ` Ludovic Courtès
2016-04-16 16:09 ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160308192104.GA22722@solar \
    --to=andreas@enge.fr \
    --cc=21843@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.