From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id YJRPEfFbc2U3UgEAG6o9tA:P1 (envelope-from ) for ; Fri, 08 Dec 2023 19:09:53 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id YJRPEfFbc2U3UgEAG6o9tA (envelope-from ) for ; Fri, 08 Dec 2023 19:09:53 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 970F36C33C for ; Fri, 8 Dec 2023 19:09:52 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1702058992; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=eFYXJYmNbpLGDYDTLHwPoBFjwNvwzpjzio9M8v6Yqeo=; b=pNQt6vRr0vXnsX+b+FI0gDC8z/Ys4X4bOXHRKbeBgjANc3k2iRnPACXNmt51UoMNcNY8jO b/2GMiyTBvW3rDKJC1FcTQZ2liZVcjKNANrI/JRwWm60XouBcEkP9ejE31tiblkxgbkALK vK7WBG742P408RV2wwknz+pzBBApCsbwOxxadnupj7c4eDVVmi/DP39yqrB1SXcuGYdLxp VvbNaZq6uD4VDFs7/hxvz+8hD+4/g7Vd9nwuVfy7Z+E1zRfISevg491jI4IhYXNyEAUiAK 5gCOXvuwxuiAHLeuq1aJkPvrBQn7PdQ2Nh1Zfvf4mJXqOsFLeFkAYstpvw+3JA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1702058992; a=rsa-sha256; cv=none; b=jC0ExpGKOf9PInXuO6BAIFIGAVhsNsbWeAnE6F5xbnBmxZZQHfNndl3q84DQ+A5B2Sp9Ct 6a33r0iwJuyImO2Qe3P+pIwvhbXPpMYUkjm866JQJaDam/kEXYuW9K2+Rw5Rj0YeCgCCM9 PHzQFPeVARC4I9fOnkIXLYfoN6cghnI6LTNSVIvSvP8jOYhpBf3ilFDp6MwWw/1qoZHCoM X1K8MBcMsNgX3xx1VpwZ3qaVxzhsE9Ht5Q8WZCr67FsHV0DjMgAkCgjMx5xuXdPC7OGmKl V/OSnXZ796XG6D15RERL7MleXmxmtgi9/FGzQLZBuaOY3Vn+O5NXTqQgcdHorg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rBek7-0006Um-Ir; Fri, 08 Dec 2023 12:34:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rBek6-0006UQ-7o for guix-devel@gnu.org; Fri, 08 Dec 2023 12:34:26 -0500 Received: from ns13.heimat.it ([46.4.214.66]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rBek3-0003zg-4f for guix-devel@gnu.org; Fri, 08 Dec 2023 12:34:26 -0500 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 3413B3007EC for ; Fri, 8 Dec 2023 17:34:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7V2s6IMMeqOE for ; Fri, 8 Dec 2023 17:34:19 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id D4E9B30022C for ; Fri, 8 Dec 2023 17:34:18 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id D00A92C5B917 for ; Fri, 8 Dec 2023 18:34:17 +0100 (CET) Received: (nullmailer pid 9699 invoked by uid 1000); Fri, 08 Dec 2023 17:34:17 -0000 From: Giovanni Biscuolo To: guix-devel@gnu.org Subject: problems installing on LUKS2 encrypted device Organization: Xelera.eu Date: Fri, 08 Dec 2023 18:34:16 +0100 Message-ID: <87il58a99j.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -6.65 X-Spam-Score: -6.65 X-Migadu-Queue-Id: 970F36C33C X-Migadu-Scanner: mx10.migadu.com X-TUID: hQhgovPE8g3F --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Hello, I've noticed that the last released system installer [1], when using the guided install workflow, is using a LUKS1 encryption; since I would like to install on a LUKS2 encrypted root filesystem I tried to "manually" install following the instructions in the manual [2]. When using a LUKS2 encryption format [3], completing the installation and rebooting, I get an error from Grub: it cannot find the encrypted volume, it's trying to open the /unencrypted/ volume instead (via UUID), child of the LUKS2 encrypted one. If I just change the type of encryption to "luks1" in [3], the booting of the installed machine works as expected. Since I know that the LUKS2 support in Grub was not available when Guix 1.4 was released, I also tried to "guix pull && hash guix" /before/ installing with "guix system init /mnt/etc/config.scm /mnt", but the error was the same. I still have not tried to build an updated system installation image to see if it is working. Since the (stable) manual provides instructions on how to install Guix System on a LUKS2 encrypted partition [4], I'd like to understand if I'm doing something wrong or there is a bug, at least in the manual. I'm attaching the script I'm using for the "manual" installation: if I set "luks2" in the "cryptsetup luksFormat..." command /and/ uncomment the "guix pull && hash guix" commands, the installation provides an unbootable system. Sorry for the "short story made long" but my script it's a proof of concept to allow installing a Guix System starting from any (recent) rescue system (tested only with a Guix install image and a systemd rescue system, grml), that's why is so "long": --=-=-= Content-Type: text/x-sh; charset=utf-8 Content-Disposition: inline; filename=bootstrap-guix.sh Content-Transfer-Encoding: quoted-printable #!/bin/sh # Copyright =C2=A9 2023 Giovanni Biscuolo # # bootstrap-guix.sh is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 3 of the # License, or (at your option) any later version. # # bootstrap-guix.sh is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # A copy of the GNU General Public License is available at # . # bootstrap-guix.sh is a very opinionated script to install Guix # System on a host booted in "rescue" mode. # # The system is installed on a single disk BTRFS filesystem on a LUKS # encrypted partition. # --------------------------------------------------------------------- # Variables # Disks # TODO: transform this in array TARGET_DISKS[TARGET_NUMDISKS], for multi di= sk setups export TARGET_NUMDISKS=3D1 export TARGET_DISK_PART_SUFFIX=3D"" export TARGET_DISK1=3D"/dev/sda" export TARGET_SWAP_SIZE=3D"16GB" # Hostname export TARGET_HOSTNAME=3D"pioche" # User and pub key (only one admin user for basic installation) export TARGET_USERNAME=3D"g" export TARGET_USERGECOS=3D"Giovanni Biscuolo" export TARGET_USERKEY=3D"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqpr0unFxPo2P= nQTmmO2dIUEECsCL3vVvjhk5Dx80Yb g@xelera.eu" # ########################### # DO NOT EDIT this variables # unless for debugging # (minimal) OS configuration file name export OS_CONFIG_FILE=3D"bootstrap-config.scm" # Target OS mount point export TARGET_MOUNTPOINT=3D"/mnt/guix" # Source os-release information test -e /etc/os-release && os_release=3D'/etc/os-release' || os_release=3D'= /usr/lib/os-release' . "${os_release}" echo "### INFO - Detected GNU/Linux distribution: ${PRETTY_NAME}." # --------------------------------------------------------------------- # Prepare the target system filesystem # Wipe the disks # TODO: use the array TARGET_DISKS[] echo "### START - Wiping disks." wipefs -af ${TARGET_DISK1}* echo "### STOP - Wiping disks." # Partition the disks # FIXME: detect if on EFI platform looking at /sys/firmware/efi and # perform disk partitioning and filesystem formatting accordingly ## Disk 1 echo "### START - partitioning ${TARGET_DISK1}." parted ${TARGET_DISK1} --align=3Dopt -s -m -- mklabel gpt # BIOS grub system partition parted ${TARGET_DISK1} --align=3Dopt -s -m -- \ mkpart grub 1MiB 5MiB \ name 1 grub-1 \ set 1 bios_grub on # partition p2 will be swap parted ${TARGET_DISK1} --align=3Dopt -s -m -- \ mkpart linux-swap 5MiB ${TARGET_SWAP_SIZE} \ name 2 swap-1 # partition p3 will be LUKS encrypted device parted ${TARGET_DISK1} --align=3Dopt -s -m -- \ mkpart ext4 ${TARGET_SWAP_SIZE} 100% \ name 3 luks-1 echo "### END - partitioning ${TARGET_DISK1}." # Create LUKS device on encrypted partition, backup LUKS header and open it echo "### START - Making encrypted ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX= }3." # FIXME: LUKS2 non supported? # cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 ${TARGET_DISK1}${TARGET= _DISK_PART_SUFFIX}3 cryptsetup luksFormat --type luks1 ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX= }3 cryptsetup luksHeaderBackup --header-backup-file `basename ${TARGET_DISK1}3= `.luksHeader ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX}3 echo "### END - Making encrypted ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX}3= ." # Opening encrypted device, ready to be formatted echo "### START - Opening encrypted ${TARGET_DISK1}${TARGET_DISK_PART_SUFFI= X}3." cryptsetup open ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX}3 cryptroot echo "### END - Opening encrypted ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX}= 3." # Make swap on p2 partitions and turn them on echo "### START - Making swap." mkswap ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX}2 swapon ${TARGET_DISK1}${TARGET_DISK_PART_SUFFIX}2 echo "### END - Making swap." # Create BTRFS filesystem echo "### START - Making BTRFS flesystem and subvolumes." mkfs.btrfs -f /dev/mapper/cryptroot # Mount the target Guix System root mkdir -p ${TARGET_MOUNTPOINT} mount -o compress=3Dzstd /dev/mapper/cryptroot ${TARGET_MOUNTPOINT} # Create subvolumes for target system btrfs subvolume create ${TARGET_MOUNTPOINT}/var btrfs subvolume create ${TARGET_MOUNTPOINT}/home btrfs subvolume create ${TARGET_MOUNTPOINT}/srv btrfs subvolume create ${TARGET_MOUNTPOINT}/root btrfs subvolume create ${TARGET_MOUNTPOINT}/gnu echo "### END - Making BTRFS flesystem and subvolumes." # --------------------------------------------------------------------- # Prepare basic OS configuration cat > ${OS_CONFIG_FILE} << EOF ;; Very basic Guix System (use-modules (gnu)) (use-service-modules admin networking ssh linux) ;; Definitions (define (sysadmin name full-name) (user-account (name name) (comment full-name) (group "users") (supplementary-groups '("wheel" "kvm")) (home-directory (string-append "/home/" name)))) (define %accounts (list (sysadmin "${TARGET_USERNAME}" "${TARGET_USERGECOS}"))) ;; operating-system (operating-system (locale "en_US.utf8") (timezone "Europe/Rome") (keyboard-layout (keyboard-layout "it" "winkeys")) (host-name "${TARGET_HOSTNAME}") (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets (list "${TARGET_DISK1}")) (keyboard-layout keyboard-layout))) (mapped-devices (list (mapped-device (source (uuid "`blkid -o value -s UUID ${TARGET_DIS= K1}${TARGET_DISK_PART_SUFFIX}3`")) (target "cryptroot") (type luks-device-mapping)))) (file-systems (append (list (file-system (mount-point "/") (device "/dev/mapper/cryptroot") (type "btrfs") (options "compress=3Dzstd") (dependencies mapped-devices))) %base-file-systems)) =20=20 (swap-devices (list (swap-space (target (uuid "`blkid -o value -s UUID ${TARGET_DISK1}= ${TARGET_DISK_PART_SUFFIX}2`"))))) (issue ;; Default contents for /etc/issue. "\\ This a Guix system. Welcome.\n") (users (append %accounts %base-user-accounts)) (sudoers-file (plain-file "sudoers" "\\ root ALL=3D(ALL) ALL %wheel ALL=3D(ALL) ALL\n")) ;; Globally-installed packages. (packages (append (list (specification->package "st") (specification->package "nss-certs")) %base-packages)) (services (append %base-services (list (service dhcp-client-service-type) (service unattended-upgrade-service-type) (service openssh-service-type (openssh-configuration (port-number 22) (password-authentication? #f) (permit-root-login 'prohibit-password) (extra-content "ListenAddress 0.0.0.0") (authorized-keys \`(("${TARGET_USERNAME}" ,(plain-file "${TARGET_USERNAME}.p= ub" "${TARGET_USERKEY}")) ("root" ,(plain-file "${TARGET_USERNAME}.pub" "${= TARGET_USERKEY}")))))))))) EOF # --------------------------------------------------------------------- # Mount the /gnu store copy-on-write using ${TARGET_MOUNTPOINT} echo "### START - Mounting cow-store" if [ "${ID:-linux}" =3D "guix" ]; then herd start cow-store ${TARGET_MOUNTPOINT} else # Make the store copy-on-write, using TARGET as the backing store. # This is useful when TARGET is on a hard disk, whereas the current # store is on a RAM disk. Ported from mount-cow-store in # gnu/build/install.scm, used by "herd start cow-store". mkdir -p /gnu/store =20=20=20=20 # TMPDIR=3D${TARGET_MOUNTPOINT}/tmp # mkdir -p $TMPDIR # mount -o bind $TMPDIR /tmp RWDIR=3D${TARGET_MOUNTPOINT}/tmp/guix-inst WORKDIR=3D${RWDIR}/../.overlayfs-workdir mkdir -p ${RWDIR} mkdir -p ${WORKDIR} chmod 775 ${RWDIR} mount -t overlay -o lowerdir=3D/gnu/store,upperdir=3D${RWDIR},workdir= =3D${WORKDIR} overlay /gnu/store systemctl daemon-reload fi echo "### END - Mounting cow-store" # Collect some partitioning and mount points info mount > bootstrap-mount-points.txt lsblk -f ${TARGET_DISK1} -J > bootstrap-lsblk-`basename ${TARGET_DISK1}`.js= on # --------------------------------------------------------------------- # Install GNU Guix if needed if [ "${ID:-linux}" =3D "guix" ]; then echo "### INFO - No need to install the guix binary." else # --------------------------------------------------------------------- # Install guix using binary installation echo "### START - Installing guix binary." wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.= sh chmod +x guix-install.sh ./guix-install.sh hash guix echo "### END - Installing guix binary."=20=20 fi # Update guix, needed for grub LUKS2 support??? # echo "### START - Updating Guix." # guix pull # hash guix # echo "### STOP - Updating Guix." guix describe > bootstrap-guix-version.txt # --------------------------------------------------------------------- # Install Guix on target filesystem echo "### START - Installing Guix on ${TARGET_MOUNTPOINT}" mkdir ${TARGET_MOUNTPOINT}/etc cp ${OS_CONFIG_FILE} ${TARGET_MOUNTPOINT}/etc/config.scm echo guix system init ${TARGET_MOUNTPOINT}/etc/config.scm ${TARGET_MOUNTPOI= NT} echo "### END - Installing Guix on ${TARGET_MOUNTPOINT}" # FIXME: umount cow-store and delete tmp files # (define (unmount-cow-store target backing-directory) # "Unmount copy-on-write store." # (let ((tmp-dir "/remove")) # (mkdir-p tmp-dir) # (mount (%store-directory) tmp-dir "" MS_MOVE) # ;; We might get EBUSY at this point, possibly because of lingering # ;; processes with open file descriptors. Use 'umount*' to retry upon # ;; EBUSY, leaving a bit of time. See . # (umount* tmp-dir) # (rmdir tmp-dir) # (delete-file-recursively # (string-append target backing-directory)))) # # -------------------------------------------------------------------- # # Unmount and close encrypted partition, swapoff # umount /gnu # umount ${TARGET_MOUNTPOINT} # cryptsetup close --type luks2 `basename ${TARGET_DISK1}3`_luks # swapoff ${TARGET_DISK1}2 # --------------------------------------------------------------------- # End game echo "" echo "### DONE! - Target system in ${TARGET_MOUNTPOINT} is ready..." echo "" echo "Please remember to copy ${OS_CONFIG_FILE} to a safe remote location" echo "" echo "...and reboot to start your new Guix System! Bye." --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thanks! Gio' [1] https://ftp.gnu.org/gnu/guix/guix-system-install-1.4.0.-linux.iso [2] https://guix.gnu.org/en/manual/en/html_node/Manual-Installation.html [3] cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sdaX [4] https://guix.gnu.org/en/manual/en/html_node/Keyboard-Layout-and-Network= ing-and-Partitioning.html =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmVzU5kMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSn1UQAOVTEljxq93qYdY6pCoUH8pEYutHhxcBUTrD/66V UT2lIRUsq3OQBwyff/syqa+bPudUzYkj641ZoSW5Kck7QvFafKIcQJgPtBiaMo1Y scz7zLPWSLBDpl2lrtfPRsjwHnhZWWExS7ENpckLCxbVpXdF6SX641iVtwliElvC CcuisV/Ilxf31RrzBpTdIc2Mf1xwviyKdTuQSUh+yIvrISKe2MYwDhACXN5JAdky 7rjjHdQa9JFUlxa9vCdgSOgX/uJsPVYAgexjZuBSKG48rwL3pVsD2HG2iibAYfpS bCkAIbSKBzWCHOJxNhsKAT05DM3YOXO8vIO9q3kGO6Eiviz95zPpZtakNM7Sq5h/ JV9Vs6aqUNj7yZRqDlOSFsOhZIxdXqpAd21YlCJf8WuzNsWvUaD/lUgovKGqYLD9 Ft4lbvoWoCQ8xKSIMvrdU7zbaScrFdO2uP9K1jAQkiHeEx31hwR9HORTYNRxkbrZ eLMaoL3SbGJ8brfDTe9aMSCA+xPuNUrxdknAkbh3TiDdycAGPA5F1Fxdr3b4eu+t fYiMFt0SEMQE4qc5PgHKKASJq+EwRPi2wXjOHedJ4mu+x7lLYW/Y29TNmGeKIk0/ cbABSiRq/1NCnxmmTsY9k+oEKpmrDxywF6DTsIWdc2u7QQIOoWh7GMhrb3nDVFc1 hJSf =3vSA -----END PGP SIGNATURE----- --==-=-=--