* [bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by a key file
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
@ 2023-08-01 21:09 ` Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
` (4 subsequent siblings)
5 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2023-08-01 21:09 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.
* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
doc/guix.texi | 12 +++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 25 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. If it fails, password unlock is attempted as well. Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..79b776e81e 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by " Tomas Volf
@ 2023-08-01 21:09 ` Tomas Volf
2023-08-02 13:02 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Tomas Volf
` (3 subsequent siblings)
5 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2023-08-01 21:09 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by " Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
@ 2023-08-02 13:02 ` Tomas Volf
2023-08-02 13:02 ` [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-09 23:21 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Ludovic Courtès
2023-08-10 0:22 ` [bug#65002] [PATCH 0/2] Add support for unlocking root device via " Dominik Riva via Guix-patches via
` (2 subsequent siblings)
5 siblings, 2 replies; 25+ messages in thread
From: Tomas Volf @ 2023-08-02 13:02 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.
* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
untabify
doc/guix.texi | 12 +++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 25 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. If it fails, password unlock is attempted as well. Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..0755036763 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
2023-08-02 13:02 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Tomas Volf
@ 2023-08-02 13:02 ` Tomas Volf
2024-01-09 23:28 ` Ludovic Courtès
2024-01-09 23:21 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Ludovic Courtès
1 sibling, 1 reply; 25+ messages in thread
From: Tomas Volf @ 2023-08-02 13:02 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
2023-08-02 13:02 ` [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
@ 2024-01-09 23:28 ` Ludovic Courtès
2024-01-11 13:32 ` Tomas Volf
0 siblings, 1 reply; 25+ messages in thread
From: Ludovic Courtès @ 2024-01-09 23:28 UTC (permalink / raw)
To: Tomas Volf; +Cc: 65002
Tomas Volf <wolf@wolfsden.cz> skribis:
> In order to be able to provide decryption keys for the LUKS device, they need
> to be available in the initial ram disk. However they cannot be stored inside
> the usual initrd, since it is stored in the store and being a
> world-readable (as files in the store are) is not a desired property for a
> initrd containing decryption keys.
This explanation should go in the manual IMO (it’s already partly there).
> This commit adds an option to load additional initrd during the boot,
> one that is not stored inside the store and therefore can contain
> secrets.
>
> Since only grub supports encrypted /boot, only grub is modified to use the
> extra-initrd. There is no use case for the other bootloaders.
>
> * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> field.
> * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> * gnu/bootloader/grub.scm: Use the new extra-initrd field
It’d be great if you could specify the entities changes in each file
(which variable/procedure is changed, what is added/removed). A
committer can do it on your behalf later if you’re unsure.
> +@item @code{extra-initrd} (default: @code{#f})
> +Path to an additional initrd to load. Should not point to a file in the
s/Path/File name/ (by convention)
Please make full sentences. “Should not” is probably too strong;
perhaps: “It may or may not point to a file in the store, but the main
use case is for out-of-store files containing secrets.”
> +store. Typical use case is making keys to unlock LUKS device available
Add a line break after “store.” to distinguish the reference from the
discussion of one possible use case.
> +during the boot process. For any use case not involving secrets, you
> +should use regular initrd (@pxref{operating-system Reference,
> +@code{initrd}}) instead.
> +
> +Suitable image can be created for example like this:
> +
> +@example
> +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> +chmod 0000 /key-file.cpio
> +@end example
> +
> +Be careful when using this option, since pointing to a file that is not
> +readable by the grub while booting will cause the boot to fail and
> +require a manual edit of the initrd line in the grub menu.
> +
> +Currently only supported by grub.
s/grub/GRUB/
Would be great if you could include also a short config example here, or
add a cross-reference to the example for
‘luks-device-mapping-with-options’ if that covers both.
> + (extra-initrd bootloader-configuration-extra-initrd
> + (default #f)) ;string | #f
> + )
No lonely paren please. :-)
Otherwise LGTM.
Could you send updated patches with these minor changes?
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
2024-01-09 23:28 ` Ludovic Courtès
@ 2024-01-11 13:32 ` Tomas Volf
0 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 13:32 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 65002
[-- Attachment #1: Type: text/plain, Size: 3807 bytes --]
On 2024-01-10 00:28:18 +0100, Ludovic Courtès wrote:
> Tomas Volf <wolf@wolfsden.cz> skribis:
>
> > In order to be able to provide decryption keys for the LUKS device, they need
> > to be available in the initial ram disk. However they cannot be stored inside
> > the usual initrd, since it is stored in the store and being a
> > world-readable (as files in the store are) is not a desired property for a
> > initrd containing decryption keys.
>
> This explanation should go in the manual IMO (it’s already partly there).
Done.
>
> > This commit adds an option to load additional initrd during the boot,
> > one that is not stored inside the store and therefore can contain
> > secrets.
> >
> > Since only grub supports encrypted /boot, only grub is modified to use the
> > extra-initrd. There is no use case for the other bootloaders.
> >
> > * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> > field.
> > * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> > * gnu/bootloader/grub.scm: Use the new extra-initrd field
>
> It’d be great if you could specify the entities changes in each file
> (which variable/procedure is changed, what is added/removed). A
> committer can do it on your behalf later if you’re unsure.
Done, this was one of my first patches and I was quite unsure about the commit
message format. These days I am still unsure, but a little less so. ^_^
>
> > +@item @code{extra-initrd} (default: @code{#f})
> > +Path to an additional initrd to load. Should not point to a file in the
>
> s/Path/File name/ (by convention)
>
> Please make full sentences. “Should not” is probably too strong;
> perhaps: “It may or may not point to a file in the store, but the main
> use case is for out-of-store files containing secrets.”
For content that can be present in the store, the regular `initrd' should be
used instead I think. However I adjusted the wording.
>
> > +store. Typical use case is making keys to unlock LUKS device available
>
> Add a line break after “store.” to distinguish the reference from the
> discussion of one possible use case.
>
> > +during the boot process. For any use case not involving secrets, you
> > +should use regular initrd (@pxref{operating-system Reference,
> > +@code{initrd}}) instead.
> > +
> > +Suitable image can be created for example like this:
> > +
> > +@example
> > +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> > +chmod 0000 /key-file.cpio
> > +@end example
> > +
> > +Be careful when using this option, since pointing to a file that is not
> > +readable by the grub while booting will cause the boot to fail and
> > +require a manual edit of the initrd line in the grub menu.
> > +
> > +Currently only supported by grub.
>
> s/grub/GRUB/
>
> Would be great if you could include also a short config example here, or
> add a cross-reference to the example for
> ‘luks-device-mapping-with-options’ if that covers both.
I added an example illustrating how these two work together.
>
> > + (extra-initrd bootloader-configuration-extra-initrd
> > + (default #f)) ;string | #f
> > + )
>
> No lonely paren please. :-)
Well I moved the paren, but now the comment (string | #f) looks like it is for
the whole top-level sexp, not just for the extra-initrd field.
>
> Otherwise LGTM.
>
> Could you send updated patches with these minor changes?
I will soon, just want spent a bit of time trying to make the system test for
this.
>
> Thanks!
And thank you again for the review.
Tomas
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
2023-08-02 13:02 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Tomas Volf
2023-08-02 13:02 ` [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
@ 2024-01-09 23:21 ` Ludovic Courtès
2024-01-11 12:39 ` Tomas Volf
1 sibling, 1 reply; 25+ messages in thread
From: Ludovic Courtès @ 2024-01-09 23:21 UTC (permalink / raw)
To: Tomas Volf; +Cc: 65002
Hello!
I know, I know, it’s taken way too long… My apologies!
Tomas Volf <wolf@wolfsden.cz> skribis:
> Requiring the user to input their password in order to unlock a device is not
> always reasonable, so having an option to unlock the device using a key file
> is a nice quality of life change.
Agreed; there’s interest for this feature, I’ve heard it quite a few
times.
> * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> procedure
No need to repeat the file name here. Please also mention the
doc/guix.texi changes.
> +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> +Return a @code{luks-device-mapping} object, which defines LUKS block
> +device encryption using the @command{cryptsetup} command from the
> +package with the same name. It relies on the @code{dm-crypt} Linux
> +kernel module.
> +
> +If @code{key-file} is provided, unlocking is first attempted using that
> +key file. If it fails, password unlock is attempted as well. Key file
> +is not stored in the store and needs to be available at the specified
> +path at the time of the unlock attempt.
s/specified path/given location/
Perhaps add a sentence or two saying that the advantage is that it
allows you to avoid typing the passphrase, for instance by passing the
key file on a USB key (would that work?), but that this may not be
suitable for all use cases.
I’d also add a short commented config example.
I wonder if we could have a system test; it doesn’t sound very easy so
maybe we’ll skip, but you can check that the “encrypted-root-os” test,
which exercises ‘luks-device-mapping’, still passes (it takes time and
disk space).
The rest LGTM!
Ludo’.
^ permalink raw reply [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
2024-01-09 23:21 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Ludovic Courtès
@ 2024-01-11 12:39 ` Tomas Volf
2024-01-11 17:39 ` Tomas Volf
0 siblings, 1 reply; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 12:39 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 65002
[-- Attachment #1: Type: text/plain, Size: 2605 bytes --]
On 2024-01-10 00:21:19 +0100, Ludovic Courtès wrote:
> Hello!
>
> I know, I know, it’s taken way too long… My apologies!
No worries, thank you for getting to it. :)
>
> > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> > procedure
>
> No need to repeat the file name here. Please also mention the
> doc/guix.texi changes.
Adjusted. I also fixed the name of the first procedure (should have been
open-luks-device).
>
> > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> > +Return a @code{luks-device-mapping} object, which defines LUKS block
> > +device encryption using the @command{cryptsetup} command from the
> > +package with the same name. It relies on the @code{dm-crypt} Linux
> > +kernel module.
> > +
> > +If @code{key-file} is provided, unlocking is first attempted using that
> > +key file. If it fails, password unlock is attempted as well. Key file
> > +is not stored in the store and needs to be available at the specified
> > +path at the time of the unlock attempt.
>
> s/specified path/given location/
>
> Perhaps add a sentence or two saying that the advantage is that it
> allows you to avoid typing the passphrase, for instance by passing the
> key file on a USB key (would that work?), but that this may not be
> suitable for all use cases.
Added a sentence. As for the USB key, that would not currently work. The file
needs to be accessible to the init script, so the USB would need to be mounted
first. I believe extending the code to support it would not be hard (adding
e.g. #:device to luks-device-mapping-with-options), but I have not use for it,
so I did not intend to do it in this series. Maybe later.
>
> I’d also add a short commented config example.
Done.
>
> I wonder if we could have a system test; it doesn’t sound very easy so
> maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> which exercises ‘luks-device-mapping’, still passes (it takes time and
> disk space).
It does not pass, but it fails even on master ¯\_ (ツ)_/¯:
guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt
It seems somewhat hard to do it based on encrypted-root-os, but should be much
easier basing it on encrypted-home-os. I might give it a try.
>
> The rest LGTM!
>
> Ludo’.
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
2024-01-11 12:39 ` Tomas Volf
@ 2024-01-11 17:39 ` Tomas Volf
0 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:39 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 65002
[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]
On 2024-01-11 13:39:36 +0100, Tomas Volf wrote:
>
> >
> > I wonder if we could have a system test; it doesn’t sound very easy so
> > maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> > which exercises ‘luks-device-mapping’, still passes (it takes time and
> > disk space).
>
> It does not pass, but it fails even on master ¯\_ (ツ)_/¯:
>
> guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt
>
> It seems somewhat hard to do it based on encrypted-root-os, but should be much
> easier basing it on encrypted-home-os. I might give it a try.
I managed to figure out the system test for this, however it required unrelated
changes, since encrypted-root-os and encrypted-home-os were broken even on
master. I included my new test (together with the fixes) in v3.
Also, I messed up, and sent this *without* the v3 by accident. When I realized,
I sent it once more, this time properly as v3. Sorry for the noise.
Tomas
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
` (2 preceding siblings ...)
2023-08-02 13:02 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Tomas Volf
@ 2023-08-10 0:22 ` Dominik Riva via Guix-patches via
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
5 siblings, 0 replies; 25+ messages in thread
From: Dominik Riva via Guix-patches via @ 2023-08-10 0:22 UTC (permalink / raw)
To: 65002@debbugs.gnu.org
[-- Attachment #1.1: Type: text/plain, Size: 1369 bytes --]
Hi,
I can confirm, the patches work for me but as I'm still quite ignorant about Guile and Guix, examples would have helped a lot.
;; Use the UEFI variant of GRUB with the EFI System
;; Partition mounted on /boot/efi.
;; /root in /root/key-file.cpio refers to the
;; /dev/mapper/enc btrfs root subvolume and not the home of root.
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader-luks2)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)
(extra-initrd "/root/key-file.cpio")))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "e3746b32-8e74-43b0-a111-78c3ea4436cf"))
(target "enc")
(type (luks-device-mapping-with-options #:key-file "/key-file.bin")))))
The snipped from https://issues.guix.gnu.org/55723#0 also needed a some changes.
I had to swap line 2 with 3, I switched ext2 with btrfs and the different format for the uuid ticked me as well.
But now I have a booting system and the passphrase only gets asked for once.
Thanks,
Dominik
[1] full config.scm: https://paste.debian.net/1288436/
[-- Attachment #1.2: publickey - driva@protonmail.ch - 0x1019089F.asc --]
[-- Type: application/pgp-keys, Size: 1718 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by a key file.
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
` (3 preceding siblings ...)
2023-08-10 0:22 ` [bug#65002] [PATCH 0/2] Add support for unlocking root device via " Dominik Riva via Guix-patches via
@ 2024-01-11 17:32 ` Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
` (4 more replies)
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
5 siblings, 5 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:32 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
From: Tomas Volf <wolf@wolfsden.cz>
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.
* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.
Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
---
doc/guix.texi | 25 +++++++++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 67 insertions(+), 25 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 395545bed7..b1202f2182 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -123,6 +123,7 @@
Copyright @copyright{} 2023 Thomas Ieong@*
Copyright @copyright{} 2023 Saku Laesvuori@*
Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -17992,6 +17993,30 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot. If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;; cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+ #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..c19a818453 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd.
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
@ 2024-01-11 17:32 ` Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
` (3 subsequent siblings)
4 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:32 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
From: Tomas Volf <wolf@wolfsden.cz>
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
---
doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++
gnu/bootloader.scm | 6 ++++-
gnu/bootloader/grub.scm | 7 ++++--
3 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1202f2182..87d41e0aae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot. It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk. However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys. You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+ ...
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ ;; Load the initrd with a key file
+ (extra-initrd "/key-file.cpio")))
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "my-root")
+ (type (luks-device-mapping-with-options
+ ;; And use it to unlock the root device
+ #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +281,9 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f))) ;string | #f
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test.
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
@ 2024-01-11 17:32 ` Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
` (2 subsequent siblings)
4 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:32 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
Based on encrypted-home-os, this test verifies unlocking via a key file.
* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.
Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 73 insertions(+), 1 deletion(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
#:use-module (gnu packages admin)
#:use-module (gnu packages bootloaders)
#:use-module (gnu packages commencement) ;for 'guile-final'
+ #:use-module (gnu packages cpio)
#:use-module (gnu packages cryptsetup)
#:use-module (gnu packages disk)
#:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
%test-raid-root-os
%test-encrypted-root-os
%test-encrypted-home-os
+ %test-encrypted-home-os-key-file
%test-encrypted-root-not-boot-os
%test-btrfs-root-os
%test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
mkfs.ext4 -L root-fs /dev/vdb2
mkfs.ext4 -L home-fs /dev/mapper/the-home-device
mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests. So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+ echo /key-file.bin | cpio -oH newc > key-file.cpio
+ chmod 0000 key-file.cpio
+ mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+ cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
mkdir /mnt/home
mount /dev/mapper/the-home-device /mnt/home
df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
(mlet* %store-monad ((images (run-install %encrypted-home-os
%encrypted-home-os-source
#:script
- %encrypted-home-installation-script))
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
+\f
+;;;
+;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source)
+ (use-modules (gnu) (gnu tests))
+
+ (operating-system
+ (host-name "cipherhome")
+ (timezone "Europe/Prague")
+ (locale "en_US.utf8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets (list "/dev/vdb"))
+ (extra-initrd "/key-file.cpio")))
+ (kernel-arguments '("console=ttyS0"))
+
+ (mapped-devices (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "the-home-device")
+ (type (luks-device-mapping-with-options
+ #:key-file "/key-file.bin")))))
+ (file-systems (cons* (file-system
+ (device (file-system-label "root-fs"))
+ (mount-point "/")
+ (type "ext4"))
+ (file-system
+ (device (file-system-label "home-fs"))
+ (mount-point "/home")
+ (type "ext4")
+ (dependencies mapped-devices))
+ %base-file-systems))
+ (services (cons (service marionette-service-type
+ (marionette-configuration
+ (imported-modules '((gnu services herd)
+ (guix combinators)))))
+ %base-services))))
+
+(define %test-encrypted-home-os-key-file
+ (system-test
+ (name "encrypted-home-os-key-file")
+ (description
+ "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+ (value
+ (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source
+ #:script
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
+ (command (qemu-command* images)))
+ (run-basic-test %encrypted-home-os-key-file
+ command "encrypted-home-os-key-file")))))
+
\f
;;;
;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS.
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
@ 2024-01-11 17:32 ` Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
4 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:32 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
For testing that installation works, there is no need to spent 2000ms (the
default) iterating while generating the encryption key. This commit therefore
sets the iteration time to the lowest possible value, 1(ms).
* gnu/tests/install.scm (%encrypted-root-installation-script):
(%encrypted-home-installation-script):
(%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
invocation.
Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc
---
gnu/tests/install.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index 6794bca145..c5243f2ed9 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -755,7 +755,7 @@ (define %encrypted-root-installation-script
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device
mkfs.ext4 -L my-root /dev/mapper/the-root-device
@@ -970,7 +970,7 @@ (define %encrypted-home-installation-script
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device
@@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script
mkpart primary ext2 50M 1.6G \\
set 1 boot on \\
set 1 bios_grub on
-echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 -
+echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 -
echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root
mkfs.ext4 -L my-root /dev/mapper/root
mkfs.ext4 -L my-boot /dev/vdb2
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test.
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
` (2 preceding siblings ...)
2024-01-11 17:32 ` [bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
@ 2024-01-11 17:32 ` Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
4 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:32 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
The installation no longer fits into the 1.6G, leading to a warning while
running the test:
guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt
Followed by a failure:
93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1
This commit increases the root partition to 2G, making the test pass again.
* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843
---
gnu/tests/install.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index c5243f2ed9..f553eeaa3e 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -751,7 +751,7 @@ (define %encrypted-root-installation-script
ls -l /run/current-system/gc-roots
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
+ mkpart primary ext2 3M 2G \\
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests.
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
` (3 preceding siblings ...)
2024-01-11 17:32 ` [bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
@ 2024-01-11 17:32 ` Tomas Volf
4 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:32 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
The installation no longer fits into the 1.6G, leading to a warning while
running the test:
guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt
Followed by a failure:
93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1
This commit increases the root partition to 2G, making the test pass again.
* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
(%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the
target size to 3G to accommodate for the larger root partition.
Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360
---
gnu/tests/install.scm | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index f553eeaa3e..f9e766e532 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -964,8 +964,8 @@ (define %encrypted-home-installation-script
export GUIX_BUILD_OPTIONS=--no-grafts
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
- mkpart primary 1.6G 2.0G \\
+ mkpart primary ext2 3M 2G \\
+ mkpart primary 2G 2.4G \\
set 1 boot on \\
set 1 bios_grub on
@@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os
%encrypted-home-os-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
@@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file
%encrypted-home-os-key-file-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os-key-file
command "encrypted-home-os-key-file")))))
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
` (4 preceding siblings ...)
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
@ 2024-01-11 17:35 ` Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
` (5 more replies)
5 siblings, 6 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:35 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
From: Tomas Volf <wolf@wolfsden.cz>
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.
* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.
Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
---
doc/guix.texi | 25 +++++++++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 67 insertions(+), 25 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 395545bed7..b1202f2182 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -123,6 +123,7 @@
Copyright @copyright{} 2023 Thomas Ieong@*
Copyright @copyright{} 2023 Saku Laesvuori@*
Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -17992,6 +17993,30 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot. If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;; cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+ #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..c19a818453 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd.
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
@ 2024-01-11 17:35 ` Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
` (4 subsequent siblings)
5 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:35 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
From: Tomas Volf <wolf@wolfsden.cz>
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
---
doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++
gnu/bootloader.scm | 6 ++++-
gnu/bootloader/grub.scm | 7 ++++--
3 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1202f2182..87d41e0aae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot. It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk. However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys. You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+ ...
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ ;; Load the initrd with a key file
+ (extra-initrd "/key-file.cpio")))
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "my-root")
+ (type (luks-device-mapping-with-options
+ ;; And use it to unlock the root device
+ #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +281,9 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f))) ;string | #f
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test.
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
@ 2024-01-11 17:35 ` Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
` (3 subsequent siblings)
5 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:35 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
Based on encrypted-home-os, this test verifies unlocking via a key file.
* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.
Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 73 insertions(+), 1 deletion(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
#:use-module (gnu packages admin)
#:use-module (gnu packages bootloaders)
#:use-module (gnu packages commencement) ;for 'guile-final'
+ #:use-module (gnu packages cpio)
#:use-module (gnu packages cryptsetup)
#:use-module (gnu packages disk)
#:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
%test-raid-root-os
%test-encrypted-root-os
%test-encrypted-home-os
+ %test-encrypted-home-os-key-file
%test-encrypted-root-not-boot-os
%test-btrfs-root-os
%test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
mkfs.ext4 -L root-fs /dev/vdb2
mkfs.ext4 -L home-fs /dev/mapper/the-home-device
mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests. So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+ echo /key-file.bin | cpio -oH newc > key-file.cpio
+ chmod 0000 key-file.cpio
+ mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+ cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
mkdir /mnt/home
mount /dev/mapper/the-home-device /mnt/home
df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
(mlet* %store-monad ((images (run-install %encrypted-home-os
%encrypted-home-os-source
#:script
- %encrypted-home-installation-script))
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
+\f
+;;;
+;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source)
+ (use-modules (gnu) (gnu tests))
+
+ (operating-system
+ (host-name "cipherhome")
+ (timezone "Europe/Prague")
+ (locale "en_US.utf8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets (list "/dev/vdb"))
+ (extra-initrd "/key-file.cpio")))
+ (kernel-arguments '("console=ttyS0"))
+
+ (mapped-devices (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "the-home-device")
+ (type (luks-device-mapping-with-options
+ #:key-file "/key-file.bin")))))
+ (file-systems (cons* (file-system
+ (device (file-system-label "root-fs"))
+ (mount-point "/")
+ (type "ext4"))
+ (file-system
+ (device (file-system-label "home-fs"))
+ (mount-point "/home")
+ (type "ext4")
+ (dependencies mapped-devices))
+ %base-file-systems))
+ (services (cons (service marionette-service-type
+ (marionette-configuration
+ (imported-modules '((gnu services herd)
+ (guix combinators)))))
+ %base-services))))
+
+(define %test-encrypted-home-os-key-file
+ (system-test
+ (name "encrypted-home-os-key-file")
+ (description
+ "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+ (value
+ (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source
+ #:script
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
+ (command (qemu-command* images)))
+ (run-basic-test %encrypted-home-os-key-file
+ command "encrypted-home-os-key-file")))))
+
\f
;;;
;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS.
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
@ 2024-01-11 17:35 ` Tomas Volf
2024-01-14 20:54 ` Ludovic Courtès
2024-01-11 17:35 ` [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
` (2 subsequent siblings)
5 siblings, 1 reply; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:35 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
For testing that installation works, there is no need to spent 2000ms (the
default) iterating while generating the encryption key. This commit therefore
sets the iteration time to the lowest possible value, 1(ms).
* gnu/tests/install.scm (%encrypted-root-installation-script):
(%encrypted-home-installation-script):
(%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
invocation.
Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc
---
gnu/tests/install.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index 6794bca145..c5243f2ed9 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -755,7 +755,7 @@ (define %encrypted-root-installation-script
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device
mkfs.ext4 -L my-root /dev/mapper/the-root-device
@@ -970,7 +970,7 @@ (define %encrypted-home-installation-script
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device
@@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script
mkpart primary ext2 50M 1.6G \\
set 1 boot on \\
set 1 bios_grub on
-echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 -
+echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 -
echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root
mkfs.ext4 -L my-root /dev/mapper/root
mkfs.ext4 -L my-boot /dev/vdb2
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test.
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
` (2 preceding siblings ...)
2024-01-11 17:35 ` [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
@ 2024-01-11 17:35 ` Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
2024-01-14 20:53 ` bug#65002: [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Ludovic Courtès
5 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:35 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
The installation no longer fits into the 1.6G, leading to a warning while
running the test:
guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt
Followed by a failure:
93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1
This commit increases the root partition to 2G, making the test pass again.
* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843
---
gnu/tests/install.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index c5243f2ed9..f553eeaa3e 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -751,7 +751,7 @@ (define %encrypted-root-installation-script
ls -l /run/current-system/gc-roots
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
+ mkpart primary ext2 3M 2G \\
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests.
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
` (3 preceding siblings ...)
2024-01-11 17:35 ` [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
@ 2024-01-11 17:35 ` Tomas Volf
2024-01-14 20:53 ` bug#65002: [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Ludovic Courtès
5 siblings, 0 replies; 25+ messages in thread
From: Tomas Volf @ 2024-01-11 17:35 UTC (permalink / raw)
To: 65002; +Cc: Tomas Volf
The installation no longer fits into the 1.6G, leading to a warning while
running the test:
guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt
Followed by a failure:
93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1
This commit increases the root partition to 2G, making the test pass again.
* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
(%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the
target size to 3G to accommodate for the larger root partition.
Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360
---
gnu/tests/install.scm | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index f553eeaa3e..f9e766e532 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -964,8 +964,8 @@ (define %encrypted-home-installation-script
export GUIX_BUILD_OPTIONS=--no-grafts
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
- mkpart primary 1.6G 2.0G \\
+ mkpart primary ext2 3M 2G \\
+ mkpart primary 2G 2.4G \\
set 1 boot on \\
set 1 bios_grub on
@@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os
%encrypted-home-os-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
@@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file
%encrypted-home-os-key-file-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os-key-file
command "encrypted-home-os-key-file")))))
--
2.41.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* bug#65002: [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
` (4 preceding siblings ...)
2024-01-11 17:35 ` [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
@ 2024-01-14 20:53 ` Ludovic Courtès
5 siblings, 0 replies; 25+ messages in thread
From: Ludovic Courtès @ 2024-01-14 20:53 UTC (permalink / raw)
To: Tomas Volf; +Cc: 65002-done, Tomas Volf
Hi Tomas,
I finally applied v3 of this patch series, it looks great to me.
Thank you, and again apologies for the long delay!
Ludo’.
^ permalink raw reply [flat|nested] 25+ messages in thread