LUKS-encrypted root fails using device numbering, needs luksUUID

  • Open
  • quality assurance status badge
Details
2 participants
  • Jan Nieuwenhuizen
  • Ludovic Courtès
Owner
unassigned
Submitted by
Jan Nieuwenhuizen
Severity
normal
J
J
Jan Nieuwenhuizen wrote on 24 Mar 2018 09:22
(address . bug-guix@gnu.org)
87tvt5dgsa.fsf@gnu.org
Hi!

Following the example in 6.2.4 Mapped Devices

(mapped-device
(source "/dev/sda3")
(target "home")
(type luks-device-mapping))

I chose not to use the UUID alternative for encrypted root; I'm terrible
at memorizing and typing UUIDs. So I used this snippet (full
bare-luks.scm below)

(mapped-device
;; This does not work
(source "/dev/nvme0n1p1")
;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
(target "guix")
(type luks-device-mapping))

For disk partitioning, I did

cryptsetup luksFormat /dev/nvme0n1p1
cryptsetup open --type=luks /dev/nvme0n1p1 guix
mkfs.ext4 -L guix /dev/mapper/guix

then install, something like

mount /dev/mapper/guix /mnt
herd start cow-store /mnt
guix system init /mnt/root/bare-luks.scm /mnt

After booting I get

Device /dev/nvme0n1p1 doesn't exist or access denied

Using the luksUUID, it works. Except for this hurdle a pleasant and
straighforward fresh install :-)

Greetings,
janneke

Toggle snippet (10 lines)
;; lsblk.out
;; NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
;; sda 8:0 1 14.5G 0 disk
;; ??sda1 8:1 1 1.4G 0 part
;; ??sda2 8:2 1 40M 0 part
;; nvme0n1 259:0 0 477G 0 disk
;; ??nvme0n1p1 259:1 0 477G 0 part
;; ??guix 253:0 0 477G 0 crypt /mnt

Toggle snippet (55 lines)
;; bare-luks.scm
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh)

(define %supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "kvm"))

(operating-system
(host-name "dundal")
(timezone "Europe/Amsterdam")
(locale "en_US.utf8")

(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/nvme0n1")))
(mapped-devices
(list (mapped-device
;; This does not work
(source "/dev/nvme0n1p1")
;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
(target "guix")
(type luks-device-mapping))))
(file-systems
(cons* (file-system (title 'device)
(device "/dev/mapper/guix")
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
%base-file-systems))
(groups
(cons* (user-group (name "janneke"))
%base-groups))
(users
(cons* (user-account
(name "janneke")
(group "janneke")
(uid 1000)
(supplementary-groups %supplementary-groups)
(home-directory "/home/janneke"))
%base-user-accounts))

(packages (cons* screen openssh wpa-supplicant-minimal %base-packages))

(services (cons* (dhcp-client-service)
(console-keymap-service "dvorak" "ctrl")
(service openssh-service-type
(openssh-configuration
(port-number 2222)
(permit-root-login #t)
(allow-empty-passwords? #f)
(password-authentication? #t)))
%base-services)))

--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com
L
L
Ludovic Courtès wrote on 26 Mar 2018 15:37
(name . Jan Nieuwenhuizen)(address . janneke@gnu.org)
87efk7dkle.fsf@gnu.org
Hello,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

Toggle quote (4 lines)
> After booting I get
>
> Device /dev/nvme0n1p1 doesn't exist or access denied

This message comes from ‘cryptsetup’.

The ‘init’ script for the config you posted does this:

Toggle snippet (26 lines)
(boot-system #:mounts (map spec->file-system
(quote (("/dev/mapper/guix"
device "/" "ext4" ()
#f #t))))
#:pre-mount (lambda ()
(and (let ((source "/dev/nvme0n1p1"))
(use-modules (rnrs bytevectors)
((gnu build file-systems)
#:select
(find-partition-by-luks-uuid)))
(zero? (system*
"/gnu/store/v5r0dx5v08847rcy033kyish6m3b3621-cryptsetup-static-1.7.5/sbin/cryptsetup"
"open" "--type" "luks"
(if (bytevector? source)
(or (let loop ((tries-left 10))
(and (positive? tries-left)
(or (find-partition-by-luks-uuid source)
(begin
(sleep 1)
(loop (- tries-left 1))))))
(error "LUKS partition not found" source))
source)
"guix")))))

IOW, it does the right thing whether or not you’re using a UUID.

However, when using a UUID, it waits for the device to show up, whereas
otherwise it assumes the /dev node is already there and invokes
‘cryptsetup’ right away.

We should fix that and generalize the wait-for-device loop, which
already exists in a couple of instances.

There are connections with https://bugs.gnu.org/30604.

Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 30922@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 30922
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch