LUKS-encrypted root fails using device numbering, needs luksUUID

  • Open
  • quality assurance status badge
Details
2 participants
  • Jan Nieuwenhuizen
  • Ludovic Courtès
Owner
unassigned
Submitted by
Jan Nieuwenhuizen
Severity
normal
J
J
Jan Nieuwenhuizen wrote on 24 Mar 2018 09:22
(address . bug-guix@gnu.org)
87tvt5dgsa.fsf@gnu.org
Hi!

Following the example in 6.2.4 Mapped Devices

(mapped-device
(source "/dev/sda3")
(target "home")
(type luks-device-mapping))

I chose not to use the UUID alternative for encrypted root; I'm terrible
at memorizing and typing UUIDs. So I used this snippet (full
bare-luks.scm below)

(mapped-device
;; This does not work
(source "/dev/nvme0n1p1")
;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
(target "guix")
(type luks-device-mapping))

For disk partitioning, I did

cryptsetup luksFormat /dev/nvme0n1p1
cryptsetup open --type=luks /dev/nvme0n1p1 guix
mkfs.ext4 -L guix /dev/mapper/guix

then install, something like

mount /dev/mapper/guix /mnt
herd start cow-store /mnt
guix system init /mnt/root/bare-luks.scm /mnt

After booting I get

Device /dev/nvme0n1p1 doesn't exist or access denied

Using the luksUUID, it works. Except for this hurdle a pleasant and
straighforward fresh install :-)

Greetings,
janneke

Toggle snippet (10 lines)
;; lsblk.out
;; NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
;; sda 8:0 1 14.5G 0 disk
;; ??sda1 8:1 1 1.4G 0 part
;; ??sda2 8:2 1 40M 0 part
;; nvme0n1 259:0 0 477G 0 disk
;; ??nvme0n1p1 259:1 0 477G 0 part
;; ??guix 253:0 0 477G 0 crypt /mnt

Toggle snippet (55 lines)
;; bare-luks.scm
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh)

(define %supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "kvm"))

(operating-system
(host-name "dundal")
(timezone "Europe/Amsterdam")
(locale "en_US.utf8")

(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/nvme0n1")))
(mapped-devices
(list (mapped-device
;; This does not work
(source "/dev/nvme0n1p1")
;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
(target "guix")
(type luks-device-mapping))))
(file-systems
(cons* (file-system (title 'device)
(device "/dev/mapper/guix")
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
%base-file-systems))
(groups
(cons* (user-group (name "janneke"))
%base-groups))
(users
(cons* (user-account
(name "janneke")
(group "janneke")
(uid 1000)
(supplementary-groups %supplementary-groups)
(home-directory "/home/janneke"))
%base-user-accounts))

(packages (cons* screen openssh wpa-supplicant-minimal %base-packages))

(services (cons* (dhcp-client-service)
(console-keymap-service "dvorak" "ctrl")
(service openssh-service-type
(openssh-configuration
(port-number 2222)
(permit-root-login #t)
(allow-empty-passwords? #f)
(password-authentication? #t)))
%base-services)))

--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com
L
L
Ludovic Courtès wrote on 26 Mar 2018 15:37
(name . Jan Nieuwenhuizen)(address . janneke@gnu.org)
87efk7dkle.fsf@gnu.org
Hello,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

Toggle quote (4 lines)
> After booting I get
>
> Device /dev/nvme0n1p1 doesn't exist or access denied

This message comes from ‘cryptsetup’.

The ‘init’ script for the config you posted does this:

Toggle snippet (26 lines)
(boot-system #:mounts (map spec->file-system
(quote (("/dev/mapper/guix"
device "/" "ext4" ()
#f #t))))
#:pre-mount (lambda ()
(and (let ((source "/dev/nvme0n1p1"))
(use-modules (rnrs bytevectors)
((gnu build file-systems)
#:select
(find-partition-by-luks-uuid)))
(zero? (system*
"/gnu/store/v5r0dx5v08847rcy033kyish6m3b3621-cryptsetup-static-1.7.5/sbin/cryptsetup"
"open" "--type" "luks"
(if (bytevector? source)
(or (let loop ((tries-left 10))
(and (positive? tries-left)
(or (find-partition-by-luks-uuid source)
(begin
(sleep 1)
(loop (- tries-left 1))))))
(error "LUKS partition not found" source))
source)
"guix")))))

IOW, it does the right thing whether or not you’re using a UUID.

However, when using a UUID, it waits for the device to show up, whereas
otherwise it assumes the /dev node is already there and invokes
‘cryptsetup’ right away.

We should fix that and generalize the wait-for-device loop, which
already exists in a couple of instances.

There are connections with https://bugs.gnu.org/30604.

Ludo’.
?