* [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition
@ 2021-10-30 15:56 Josselin Poiret via Guix-patches via
2021-10-30 16:12 ` [bug#51514] [PATCH 1/2] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
0 siblings, 1 reply; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-10-30 15:56 UTC (permalink / raw)
To: 51514
Hi,
This patchset adds support for a LUKS2 root partition, leveraging its
Grub support since 2.06, and making sure that the Cryptsetup run-time
locking directory /var/cryptsetup/ exists before trying to unlock
devices (this is required for LUKS2): this used to fail in early
userspace because /var/ did not exist. I've also added some
documentation on the limited support: Grub only supports PKBDF2 and
not Argon2i which is the default key derivation function. The example
given in the Disk Partitioning section was updated as well to use
LUKS2.
My testing setup was: using a Guix VM, install onto a qcow2 disk which
is itself launched with QEMU. It felt a bit convoluted (especially
transferring the WIP guix to the VM, then building it), and I'll see if
I can simplify this workflow a bit, but everything worked fine with
those patches.
Best,
Josselin Poiret
Josselin Poiret (2):
gnu: system: Add LUKS2 support for the root file system.
doc: Document LUKS2 Grub support and shortcomings
doc/guix.texi | 19 ++++++++++++++-----
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
3 files changed, 23 insertions(+), 9 deletions(-)
--
2.33.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH 1/2] gnu: system: Add LUKS2 support for the root file system.
2021-10-30 15:56 [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition Josselin Poiret via Guix-patches via
@ 2021-10-30 16:12 ` Josselin Poiret via Guix-patches via
2021-10-30 16:12 ` [bug#51514] [PATCH 2/2] doc: Document LUKS2 Grub support and shortcomings Josselin Poiret via Guix-patches via
0 siblings, 1 reply; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-10-30 16:12 UTC (permalink / raw)
To: 51514; +Cc: Josselin Poiret
* gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod
luks2'.
* gnu/system/mapped-devices.scm (open-luks-device): Create
'/run/cryptsetup/' directory.
---
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index d8e888ff40..42f71aa4db 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev)
;; Other type of devices aren't implemented.
#~()))
(let ((devices (map crypto-device->cryptomount store-crypto-devices))
- ;; XXX: Add luks2 when grub 2.06 is packaged.
- (modules #~(format port "insmod luks~%")))
+ (modules #~(format port "insmod luks~%insmod luks2~%")))
(if (null? devices)
devices
(cons modules devices))))
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 518dbc4fe8..95944b03c8 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -192,7 +192,8 @@ (define (open-luks-device source targets)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
- '((gnu build file-systems)))
+ '((gnu build file-systems)
+ (guix build utils))) ;; For mkdir-p
(match targets
((target)
#~(let ((source #$(if (uuid? source)
@@ -201,7 +202,12 @@ (define (open-luks-device source targets)
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
- #:select (find-partition-by-luks-uuid)))
+ #:select (find-partition-by-luks-uuid))
+ ((guix build utils) #:select (mkdir-p)))
+
+ ;; Create '/run/cryptsetup/' if it does not exist, as device locking
+ ;; is mandatory for LUKS2.
+ (mkdir-p "/run/cryptsetup/")
;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the
;; whole world inside the initrd (for when we're in an initrd).
--
2.33.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH 2/2] doc: Document LUKS2 Grub support and shortcomings
2021-10-30 16:12 ` [bug#51514] [PATCH 1/2] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
@ 2021-10-30 16:12 ` Josselin Poiret via Guix-patches via
2021-11-12 22:32 ` [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-10-30 16:12 UTC (permalink / raw)
To: 51514; +Cc: Josselin Poiret
* doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
Partitioning]: Document it.
---
doc/guix.texi | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 22215214e0..4420f67050 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2
If you are instead planning to encrypt the root partition, you can use
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
-@code{man cryptsetup}} for more information). Assuming you want to
-store the root partition on @file{/dev/sda2}, the command sequence would
-be along these lines:
+@code{man cryptsetup}} for more information).
+
+@quotation Warning
+Note that Grub can unlock LUKS2 devices since version 2.06, but only
+supports the PBKDF2 key derivation function, which is not the default
+for Cryptsetup on Guix. You can check which key derivation function is
+being used by a device by running @command{cryptsetup luksDump <dev>},
+and looking for the PBKDF field of your keyslots.
+@end quotation
+
+Assuming you want to store the root partition on @file{/dev/sda2}, the
+command sequence would be along these lines:
@example
-cryptsetup luksFormat /dev/sda2
-cryptsetup open --type luks /dev/sda2 my-partition
+cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup open /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
--
2.33.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition
2021-10-30 16:12 ` [bug#51514] [PATCH 2/2] doc: Document LUKS2 Grub support and shortcomings Josselin Poiret via Guix-patches via
@ 2021-11-12 22:32 ` Ludovic Courtès
2021-11-15 20:53 ` [bug#51514] [PATCH v2 0/3] " Josselin Poiret via Guix-patches via
0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2021-11-12 22:32 UTC (permalink / raw)
To: Josselin Poiret; +Cc: 51514
Hello!
I haven’t tested it, but the patches LGTM. Nitpick:
Josselin Poiret <dev@jpoiret.xyz> skribis:
> * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
> Partitioning]: Document it.
[…]
> +@quotation Warning
> +Note that Grub can unlock LUKS2 devices since version 2.06, but only
s/Grub/GRUB/ :-)
> +supports the PBKDF2 key derivation function, which is not the default
> +for Cryptsetup on Guix. You can check which key derivation function is
> +being used by a device by running @command{cryptsetup luksDump <dev>},
@var{device} rather than <dev>.
> +and looking for the PBKDF field of your keyslots.
Should we change “which is not the default for Cryptsetup on Guix” to
“but @command{cryptsetup luksFormat} does not use PBKDF2 by default”?
> +@end quotation
> +
> +Assuming you want to store the root partition on @file{/dev/sda2}, the
> +command sequence would be along these lines:
^
+ “to format it as a LUKS2 partition”
Could you send an updated version of this patch?
Besides, do you think we should change the installer to create LUKS2
partitions now in (gnu installer parted)?
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH v2 0/3] Add support for LUKS2 root partition
2021-11-12 22:32 ` [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition Ludovic Courtès
@ 2021-11-15 20:53 ` Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-11-15 20:53 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Josselin Poiret, 51514
Hello again Ludovic,
Here is an updated patchset, which includes the changes you suggested,
as well as update the installer to use LUKS2 by default (I tested it
in a VM and it works pretty well). I don't think there's any reason
not to use LUKS2 by default now that GRUB 2.06 supports it, and in any
case if there are specific needs they can be addressed by a manual
installation.
Best,
Josselin Poiret (3):
gnu: system: Add LUKS2 support for the root file system.
doc: Document LUKS2 GRUB support and shortcomings
installer: Make LUKS2 the default format for encrypted devices
doc/guix.texi | 22 +++++++++++++++++-----
gnu/bootloader/grub.scm | 3 +--
gnu/installer/parted.scm | 5 +++--
gnu/system/mapped-devices.scm | 10 ++++++++--
4 files changed, 29 insertions(+), 11 deletions(-)
--
2.33.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system.
2021-11-15 20:53 ` [bug#51514] [PATCH v2 0/3] " Josselin Poiret via Guix-patches via
@ 2021-11-15 20:53 ` Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 2/3] doc: Document LUKS2 GRUB support and shortcomings Josselin Poiret via Guix-patches via
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-11-15 20:53 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Josselin Poiret, 51514
* gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod
luks2'.
* gnu/system/mapped-devices.scm (open-luks-device): Create
'/run/cryptsetup/' directory.
---
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index d8e888ff40..42f71aa4db 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev)
;; Other type of devices aren't implemented.
#~()))
(let ((devices (map crypto-device->cryptomount store-crypto-devices))
- ;; XXX: Add luks2 when grub 2.06 is packaged.
- (modules #~(format port "insmod luks~%")))
+ (modules #~(format port "insmod luks~%insmod luks2~%")))
(if (null? devices)
devices
(cons modules devices))))
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 518dbc4fe8..96a381d5fe 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -192,7 +192,8 @@ (define (open-luks-device source targets)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
- '((gnu build file-systems)))
+ '((gnu build file-systems)
+ (guix build utils))) ;; For mkdir-p
(match targets
((target)
#~(let ((source #$(if (uuid? source)
@@ -201,7 +202,12 @@ (define (open-luks-device source targets)
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
- #:select (find-partition-by-luks-uuid)))
+ #:select (find-partition-by-luks-uuid))
+ ((guix build utils) #:select (mkdir-p)))
+
+ ;; Create '/run/cryptsetup/' if it does not exist, as device locking
+ ;; is mandatory for LUKS2.
+ (mkdir-p "/run/cryptsetup/")
;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the
;; whole world inside the initrd (for when we're in an initrd).
--
2.33.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH v2 2/3] doc: Document LUKS2 GRUB support and shortcomings
2021-11-15 20:53 ` [bug#51514] [PATCH v2 0/3] " Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
@ 2021-11-15 20:53 ` Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 3/3] installer: Make LUKS2 the default format for encrypted devices Josselin Poiret via Guix-patches via
2021-12-01 16:22 ` bug#51514: [PATCH 0/2] Add support for LUKS2 root partition Ludovic Courtès
3 siblings, 0 replies; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-11-15 20:53 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Josselin Poiret, 51514
* doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
Partitioning]: Document it.
---
doc/guix.texi | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1b10e2d626..95d286a836 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -98,6 +98,7 @@ Copyright @copyright{} 2021 pukkamustard@*
Copyright @copyright{} 2021 Alice Brenon@*
Copyright @copyright{} 2021 Andrew Tropin@*
Copyright @copyright{} 2021 Sarah Morgensen@*
+Copyright @copyright{} 2021 Josselin Poiret@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -2492,13 +2493,24 @@ mkfs.ext4 -L my-root /dev/sda2
If you are instead planning to encrypt the root partition, you can use
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
-@code{man cryptsetup}} for more information). Assuming you want to
-store the root partition on @file{/dev/sda2}, the command sequence would
-be along these lines:
+@code{man cryptsetup}} for more information).
+
+@quotation Warning
+Note that GRUB can unlock LUKS2 devices since version 2.06, but only
+supports the PBKDF2 key derivation function, which is not the default
+for @command{cryptsetup luksFormat}. You can check which key derivation
+function is being used by a device by running @command{cryptsetup
+luksDump @var{device}}, and looking for the PBKDF field of your
+keyslots.
+@end quotation
+
+Assuming you want to store the root partition on @file{/dev/sda2}, the
+command sequence to format it as a LUKS2 partition would be along these
+lines:
@example
-cryptsetup luksFormat /dev/sda2
-cryptsetup open --type luks /dev/sda2 my-partition
+cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup open /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
--
2.33.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [bug#51514] [PATCH v2 3/3] installer: Make LUKS2 the default format for encrypted devices
2021-11-15 20:53 ` [bug#51514] [PATCH v2 0/3] " Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 2/3] doc: Document LUKS2 GRUB support and shortcomings Josselin Poiret via Guix-patches via
@ 2021-11-15 20:53 ` Josselin Poiret via Guix-patches via
2021-12-01 16:22 ` bug#51514: [PATCH 0/2] Add support for LUKS2 root partition Ludovic Courtès
3 siblings, 0 replies; 9+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2021-11-15 20:53 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Josselin Poiret, 51514
* gnu/installer/parted.scm (luks-format-and-open): Change it.
---
gnu/installer/parted.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/installer/parted.scm b/gnu/installer/parted.scm
index cbe676017b..00de0a30fa 100644
--- a/gnu/installer/parted.scm
+++ b/gnu/installer/parted.scm
@@ -1165,8 +1165,9 @@ (define (luks-format-and-open user-partition)
(lambda (key-file)
(syslog "formatting and opening LUKS entry ~s at ~s~%"
label file-name)
- (system* "cryptsetup" "-q" "luksFormat" file-name key-file)
- (system* "cryptsetup" "open" "--type" "luks"
+ (system* "cryptsetup" "-q" "luksFormat" "--type" "luks2"
+ "--pbkdf" "pbkdf2" file-name key-file)
+ (system* "cryptsetup" "open"
"--key-file" key-file file-name label)))))
(define (luks-close user-partition)
--
2.33.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#51514: [PATCH 0/2] Add support for LUKS2 root partition
2021-11-15 20:53 ` [bug#51514] [PATCH v2 0/3] " Josselin Poiret via Guix-patches via
` (2 preceding siblings ...)
2021-11-15 20:53 ` [bug#51514] [PATCH v2 3/3] installer: Make LUKS2 the default format for encrypted devices Josselin Poiret via Guix-patches via
@ 2021-12-01 16:22 ` Ludovic Courtès
3 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2021-12-01 16:22 UTC (permalink / raw)
To: Josselin Poiret; +Cc: 51514-done
Hello Josselin,
Josselin Poiret <dev@jpoiret.xyz> skribis:
> Here is an updated patchset, which includes the changes you suggested,
> as well as update the installer to use LUKS2 by default (I tested it
> in a VM and it works pretty well). I don't think there's any reason
> not to use LUKS2 by default now that GRUB 2.06 supports it, and in any
> case if there are specific needs they can be addressed by a manual
> installation.
>
> Best,
>
> Josselin Poiret (3):
> gnu: system: Add LUKS2 support for the root file system.
> doc: Document LUKS2 GRUB support and shortcomings
> installer: Make LUKS2 the default format for encrypted devices
Applied it all after checking:
make check-system TESTS=encrypted-root-os
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-12-01 16:23 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-30 15:56 [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition Josselin Poiret via Guix-patches via
2021-10-30 16:12 ` [bug#51514] [PATCH 1/2] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
2021-10-30 16:12 ` [bug#51514] [PATCH 2/2] doc: Document LUKS2 Grub support and shortcomings Josselin Poiret via Guix-patches via
2021-11-12 22:32 ` [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition Ludovic Courtès
2021-11-15 20:53 ` [bug#51514] [PATCH v2 0/3] " Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 2/3] doc: Document LUKS2 GRUB support and shortcomings Josselin Poiret via Guix-patches via
2021-11-15 20:53 ` [bug#51514] [PATCH v2 3/3] installer: Make LUKS2 the default format for encrypted devices Josselin Poiret via Guix-patches via
2021-12-01 16:22 ` bug#51514: [PATCH 0/2] Add support for LUKS2 root partition Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.