From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id WBUeEFNrfWH0QgEAgWs5BA (envelope-from ) for ; Sat, 30 Oct 2021 17:57:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id EGHYC1NrfWHHCwAA1q6Kng (envelope-from ) for ; Sat, 30 Oct 2021 15:57:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 044341BE55 for ; Sat, 30 Oct 2021 17:57:07 +0200 (CEST) Received: from localhost ([::1]:55642 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mgqjC-0002F5-6B for larch@yhetil.org; Sat, 30 Oct 2021 11:57:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45564) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgqj8-0002Ex-Dl for guix-patches@gnu.org; Sat, 30 Oct 2021 11:57:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:46704) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mgqj8-0001X3-5i for guix-patches@gnu.org; Sat, 30 Oct 2021 11:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mgqj8-00088d-3w for guix-patches@gnu.org; Sat, 30 Oct 2021 11:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#51514] [PATCH 0/2] Add support for LUKS2 root partition Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 30 Oct 2021 15:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 51514 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 51514@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.163560940131248 (code B ref -1); Sat, 30 Oct 2021 15:57:01 +0000 Received: (at submit) by debbugs.gnu.org; 30 Oct 2021 15:56:41 +0000 Received: from localhost ([127.0.0.1]:58250 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqin-00087v-1c for submit@debbugs.gnu.org; Sat, 30 Oct 2021 11:56:41 -0400 Received: from lists.gnu.org ([209.51.188.17]:59034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqil-00087m-Ei for submit@debbugs.gnu.org; Sat, 30 Oct 2021 11:56:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgqil-00029B-6S for guix-patches@gnu.org; Sat, 30 Oct 2021 11:56:39 -0400 Received: from jpoiret.xyz ([206.189.101.64]:35414) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgqij-0001Ug-In for guix-patches@gnu.org; Sat, 30 Oct 2021 11:56:38 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 7049B184BFA; Sat, 30 Oct 2021 15:56:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635609394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=I54k2tax9n5K+yDEQJejoWYRcF0HLMw5YpXn+YMIHmI=; b=BhudiO02s1Lc7DrK+HVA2PunND/YkOjDtzEhFdTskermyXq+icIkihhroDueZgc5ZkQVkA CQxcfAGtcgso8qsPv8CUWy6M2zoqjEEqqtykCPPpP+G2ekgYMFrpj37igTQkhsXQ8PY+vt jgOZfVlEUDKFN8XyfiM08/LyLllWBqKPJwVi7yoIqywxjRcg9paacd0kGusRxVVQ6bja2N DvO6P/H+gZJiJ5NbKOzRkK1aAhdgYVGsw6qlUBdBG/3vkHTllUVQLJo9nX9YUbPHIDaSpf AqRf7x5SzLHU2YLJ4FrNTCR3VdVuIr8kE+EjCplNpqBoXqOOb/3ADbOtM4V7pg== Date: Sat, 30 Oct 2021 15:56:33 +0000 Message-ID: <87tugypkum.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: / Received-SPF: pass client-ip=206.189.101.64; envelope-from=dev@jpoiret.xyz; helo=jpoiret.xyz X-Spam_score_int: 5 X-Spam_score: 0.5 X-Spam_bar: / X-Spam_report: (0.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.999, PDS_OTHER_BAD_TLD=0.076, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Josselin Poiret X-ACL-Warn: , Josselin Poiret via Guix-patches From: Josselin Poiret via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635609427; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=I54k2tax9n5K+yDEQJejoWYRcF0HLMw5YpXn+YMIHmI=; b=fXZ81JeSuDJ94/wAngFAT1UnQQihjUwWJdx0chyqXqbV/g36lITNxb1FWDop/+FxFF/zWN 8uDM6qX6ZruGIXXQCCX0kunVuhPxKSeYV3vj8JJaEgyA4kogJg3we4NyNwNTitYBLa4CK4 0/N0If3AD7gtjrRaudAgRWGGkTn/J3I1OhDOukir4rEGXyfdmWVibooEYRSTrOP6uVVwbw Q2nWRsniN37GYXtcASOBleL2nF6gZ5mGKFHmYVx7mNNCLOFfjGJiQglyDo8Kv6QiWehQ4+ LlsIVF10QqazDFtAe5/zbbAiup4keVAZZO7zd0otqnrgXFuLMmc87BO38H/blA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635609427; a=rsa-sha256; cv=none; b=a9eCyW3t1HMmlBIR6JFXgF1P9YOXzZ+0++s9XsUYIPgMqPTjzZ6xvOdeuL0LU5o9Fb1Cp+ DcKWS+SkozHHDoptGM33AfGJMi8YAbAaOf3t9TE7qvXlSC0+2YOfwWpoCD8aohSR7SwGt9 D5aXpXrH3dSuJhGuS8HKrQD+Bm/h+opXaMvafdE5YSSk8oNDeLVGwtyfdW0wnnW3jExtj1 fYazf4ptXLmAryo9jcG98/NlRhWWKQ7Zv7Xu61C1VEazOrJBZpbCYqPQF/m1tbCCQq9Jn0 8xJSS7bMHMgW0U3turQ7MIhH3e8LWCuKB/f8jXGWQTfEJOL3+4vu0rE9ok7Zfw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=BhudiO02; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=BhudiO02; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 044341BE55 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: W4OMlDwL1Y2v Hi, This patchset adds support for a LUKS2 root partition, leveraging its Grub support since 2.06, and making sure that the Cryptsetup run-time locking directory /var/cryptsetup/ exists before trying to unlock devices (this is required for LUKS2): this used to fail in early userspace because /var/ did not exist. I've also added some documentation on the limited support: Grub only supports PKBDF2 and not Argon2i which is the default key derivation function. The example given in the Disk Partitioning section was updated as well to use LUKS2. My testing setup was: using a Guix VM, install onto a qcow2 disk which is itself launched with QEMU. It felt a bit convoluted (especially transferring the WIP guix to the VM, then building it), and I'll see if I can simplify this workflow a bit, but everything worked fine with those patches. Best, Josselin Poiret Josselin Poiret (2): gnu: system: Add LUKS2 support for the root file system. doc: Document LUKS2 Grub support and shortcomings doc/guix.texi | 19 ++++++++++++++----- gnu/bootloader/grub.scm | 3 +-- gnu/system/mapped-devices.scm | 10 ++++++++-- 3 files changed, 23 insertions(+), 9 deletions(-) -- 2.33.1