[PATCH 0/2] Add support for LUKS2 root partition

  • Done
  • quality assurance status badge
Details
2 participants
  • Josselin Poiret
  • Ludovic Courtès
Owner
unassigned
Submitted by
Josselin Poiret
Severity
normal
J
J
Josselin Poiret wrote on 30 Oct 2021 17:56
(address . guix-patches@gnu.org)
87tugypkum.fsf@jpoiret.xyz
Hi,

This patchset adds support for a LUKS2 root partition, leveraging its
Grub support since 2.06, and making sure that the Cryptsetup run-time
locking directory /var/cryptsetup/ exists before trying to unlock
devices (this is required for LUKS2): this used to fail in early
userspace because /var/ did not exist. I've also added some
documentation on the limited support: Grub only supports PKBDF2 and
not Argon2i which is the default key derivation function. The example
given in the Disk Partitioning section was updated as well to use
LUKS2.

My testing setup was: using a Guix VM, install onto a qcow2 disk which
is itself launched with QEMU. It felt a bit convoluted (especially
transferring the WIP guix to the VM, then building it), and I'll see if
I can simplify this workflow a bit, but everything worked fine with
those patches.

Best,
Josselin Poiret

Josselin Poiret (2):
gnu: system: Add LUKS2 support for the root file system.
doc: Document LUKS2 Grub support and shortcomings

doc/guix.texi | 19 ++++++++++++++-----
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
3 files changed, 23 insertions(+), 9 deletions(-)

--
2.33.1
J
J
Josselin Poiret wrote on 30 Oct 2021 18:12
[PATCH 1/2] gnu: system: Add LUKS2 support for the root file system.
(address . 51514@debbugs.gnu.org)(name . Josselin Poiret)(address . dev@jpoiret.xyz)
20211030161237.28298-1-dev@jpoiret.xyz
* gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod
luks2'.
* gnu/system/mapped-devices.scm (open-luks-device): Create
'/run/cryptsetup/' directory.
---
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
2 files changed, 9 insertions(+), 4 deletions(-)

Toggle diff (44 lines)
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index d8e888ff40..42f71aa4db 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev)
;; Other type of devices aren't implemented.
#~()))
(let ((devices (map crypto-device->cryptomount store-crypto-devices))
- ;; XXX: Add luks2 when grub 2.06 is packaged.
- (modules #~(format port "insmod luks~%")))
+ (modules #~(format port "insmod luks~%insmod luks2~%")))
(if (null? devices)
devices
(cons modules devices))))
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 518dbc4fe8..95944b03c8 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -192,7 +192,8 @@ (define (open-luks-device source targets)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
- '((gnu build file-systems)))
+ '((gnu build file-systems)
+ (guix build utils))) ;; For mkdir-p
(match targets
((target)
#~(let ((source #$(if (uuid? source)
@@ -201,7 +202,12 @@ (define (open-luks-device source targets)
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
- #:select (find-partition-by-luks-uuid)))
+ #:select (find-partition-by-luks-uuid))
+ ((guix build utils) #:select (mkdir-p)))
+
+ ;; Create '/run/cryptsetup/' if it does not exist, as device locking
+ ;; is mandatory for LUKS2.
+ (mkdir-p "/run/cryptsetup/")
;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the
;; whole world inside the initrd (for when we're in an initrd).
--
2.33.1
J
J
Josselin Poiret wrote on 30 Oct 2021 18:12
[PATCH 2/2] doc: Document LUKS2 Grub support and shortcomings
(address . 51514@debbugs.gnu.org)(name . Josselin Poiret)(address . dev@jpoiret.xyz)
20211030161237.28298-2-dev@jpoiret.xyz
* doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
Partitioning]: Document it.
---
doc/guix.texi | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)

Toggle diff (34 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 22215214e0..4420f67050 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2
If you are instead planning to encrypt the root partition, you can use
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
-@code{man cryptsetup}} for more information). Assuming you want to
-store the root partition on @file{/dev/sda2}, the command sequence would
-be along these lines:
+@code{man cryptsetup}} for more information).
+
+@quotation Warning
+Note that Grub can unlock LUKS2 devices since version 2.06, but only
+supports the PBKDF2 key derivation function, which is not the default
+for Cryptsetup on Guix. You can check which key derivation function is
+being used by a device by running @command{cryptsetup luksDump <dev>},
+and looking for the PBKDF field of your keyslots.
+@end quotation
+
+Assuming you want to store the root partition on @file{/dev/sda2}, the
+command sequence would be along these lines:
@example
-cryptsetup luksFormat /dev/sda2
-cryptsetup open --type luks /dev/sda2 my-partition
+cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup open /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
--
2.33.1
L
L
Ludovic Courtès wrote on 12 Nov 2021 23:32
Re: bug#51514: [PATCH 0/2] Add support for LUKS2 root partition
(name . Josselin Poiret)(address . dev@jpoiret.xyz)(address . 51514@debbugs.gnu.org)
87h7chdmzh.fsf_-_@gnu.org
Hello!

I haven’t tested it, but the patches LGTM. Nitpick:

Josselin Poiret <dev@jpoiret.xyz> skribis:

Toggle quote (3 lines)
> * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
> Partitioning]: Document it.

[…]

Toggle quote (3 lines)
> +@quotation Warning
> +Note that Grub can unlock LUKS2 devices since version 2.06, but only

s/Grub/GRUB/ :-)

Toggle quote (4 lines)
> +supports the PBKDF2 key derivation function, which is not the default
> +for Cryptsetup on Guix. You can check which key derivation function is
> +being used by a device by running @command{cryptsetup luksDump <dev>},

@var{device} rather than <dev>.

Toggle quote (2 lines)
> +and looking for the PBKDF field of your keyslots.

Should we change “which is not the default for Cryptsetup on Guix” to
“but @command{cryptsetup luksFormat} does not use PBKDF2 by default”?

Toggle quote (4 lines)
> +@end quotation
> +
> +Assuming you want to store the root partition on @file{/dev/sda2}, the
> +command sequence would be along these lines:
^
+ “to format it as a LUKS2 partition”

Could you send an updated version of this patch?

Besides, do you think we should change the installer to create LUKS2
partitions now in (gnu installer parted)?

Thanks!

Ludo’.
J
J
Josselin Poiret wrote on 15 Nov 2021 21:53
[PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system.
(name . Ludovic Courtès)(address . ludo@gnu.org)
20211115205341.9724-2-dev@jpoiret.xyz
* gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod
luks2'.
* gnu/system/mapped-devices.scm (open-luks-device): Create
'/run/cryptsetup/' directory.
---
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
2 files changed, 9 insertions(+), 4 deletions(-)

Toggle diff (44 lines)
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index d8e888ff40..42f71aa4db 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev)
;; Other type of devices aren't implemented.
#~()))
(let ((devices (map crypto-device->cryptomount store-crypto-devices))
- ;; XXX: Add luks2 when grub 2.06 is packaged.
- (modules #~(format port "insmod luks~%")))
+ (modules #~(format port "insmod luks~%insmod luks2~%")))
(if (null? devices)
devices
(cons modules devices))))
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 518dbc4fe8..96a381d5fe 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -192,7 +192,8 @@ (define (open-luks-device source targets)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
- '((gnu build file-systems)))
+ '((gnu build file-systems)
+ (guix build utils))) ;; For mkdir-p
(match targets
((target)
#~(let ((source #$(if (uuid? source)
@@ -201,7 +202,12 @@ (define (open-luks-device source targets)
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
- #:select (find-partition-by-luks-uuid)))
+ #:select (find-partition-by-luks-uuid))
+ ((guix build utils) #:select (mkdir-p)))
+
+ ;; Create '/run/cryptsetup/' if it does not exist, as device locking
+ ;; is mandatory for LUKS2.
+ (mkdir-p "/run/cryptsetup/")
;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the
;; whole world inside the initrd (for when we're in an initrd).
--
2.33.1
J
J
Josselin Poiret wrote on 15 Nov 2021 21:53
[PATCH v2 2/3] doc: Document LUKS2 GRUB support and shortcomings
(name . Ludovic Courtès)(address . ludo@gnu.org)
20211115205341.9724-3-dev@jpoiret.xyz
* doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
Partitioning]: Document it.
---
doc/guix.texi | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)

Toggle diff (44 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1b10e2d626..95d286a836 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -98,6 +98,7 @@ Copyright @copyright{} 2021 pukkamustard@*
Copyright @copyright{} 2021 Alice Brenon@*
Copyright @copyright{} 2021 Andrew Tropin@*
Copyright @copyright{} 2021 Sarah Morgensen@*
+Copyright @copyright{} 2021 Josselin Poiret@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -2492,13 +2493,24 @@ mkfs.ext4 -L my-root /dev/sda2
If you are instead planning to encrypt the root partition, you can use
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
-@code{man cryptsetup}} for more information). Assuming you want to
-store the root partition on @file{/dev/sda2}, the command sequence would
-be along these lines:
+@code{man cryptsetup}} for more information).
+
+@quotation Warning
+Note that GRUB can unlock LUKS2 devices since version 2.06, but only
+supports the PBKDF2 key derivation function, which is not the default
+for @command{cryptsetup luksFormat}. You can check which key derivation
+function is being used by a device by running @command{cryptsetup
+luksDump @var{device}}, and looking for the PBKDF field of your
+keyslots.
+@end quotation
+
+Assuming you want to store the root partition on @file{/dev/sda2}, the
+command sequence to format it as a LUKS2 partition would be along these
+lines:
@example
-cryptsetup luksFormat /dev/sda2
-cryptsetup open --type luks /dev/sda2 my-partition
+cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup open /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
--
2.33.1
J
J
Josselin Poiret wrote on 15 Nov 2021 21:53
[PATCH v2 3/3] installer: Make LUKS2 the default format for encrypted devices
(name . Ludovic Courtès)(address . ludo@gnu.org)
20211115205341.9724-4-dev@jpoiret.xyz
* gnu/installer/parted.scm (luks-format-and-open): Change it.
---
gnu/installer/parted.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (18 lines)
diff --git a/gnu/installer/parted.scm b/gnu/installer/parted.scm
index cbe676017b..00de0a30fa 100644
--- a/gnu/installer/parted.scm
+++ b/gnu/installer/parted.scm
@@ -1165,8 +1165,9 @@ (define (luks-format-and-open user-partition)
(lambda (key-file)
(syslog "formatting and opening LUKS entry ~s at ~s~%"
label file-name)
- (system* "cryptsetup" "-q" "luksFormat" file-name key-file)
- (system* "cryptsetup" "open" "--type" "luks"
+ (system* "cryptsetup" "-q" "luksFormat" "--type" "luks2"
+ "--pbkdf" "pbkdf2" file-name key-file)
+ (system* "cryptsetup" "open"
"--key-file" key-file file-name label)))))
(define (luks-close user-partition)
--
2.33.1
J
J
Josselin Poiret wrote on 15 Nov 2021 21:53
[PATCH v2 0/3] Add support for LUKS2 root partition
(name . Ludovic Courtès)(address . ludo@gnu.org)
20211115205341.9724-1-dev@jpoiret.xyz
Hello again Ludovic,

Here is an updated patchset, which includes the changes you suggested,
as well as update the installer to use LUKS2 by default (I tested it
in a VM and it works pretty well). I don't think there's any reason
not to use LUKS2 by default now that GRUB 2.06 supports it, and in any
case if there are specific needs they can be addressed by a manual
installation.

Best,

Josselin Poiret (3):
gnu: system: Add LUKS2 support for the root file system.
doc: Document LUKS2 GRUB support and shortcomings
installer: Make LUKS2 the default format for encrypted devices

doc/guix.texi | 22 +++++++++++++++++-----
gnu/bootloader/grub.scm | 3 +--
gnu/installer/parted.scm | 5 +++--
gnu/system/mapped-devices.scm | 10 ++++++++--
4 files changed, 29 insertions(+), 11 deletions(-)

--
2.33.1
L
L
Ludovic Courtès wrote on 1 Dec 2021 17:22
Re: bug#51514: [PATCH 0/2] Add support for LUKS2 root partition
(name . Josselin Poiret)(address . dev@jpoiret.xyz)(address . 51514-done@debbugs.gnu.org)
87sfvc1eir.fsf_-_@gnu.org
Hello Josselin,

Josselin Poiret <dev@jpoiret.xyz> skribis:

Toggle quote (14 lines)
> Here is an updated patchset, which includes the changes you suggested,
> as well as update the installer to use LUKS2 by default (I tested it
> in a VM and it works pretty well). I don't think there's any reason
> not to use LUKS2 by default now that GRUB 2.06 supports it, and in any
> case if there are specific needs they can be addressed by a manual
> installation.
>
> Best,
>
> Josselin Poiret (3):
> gnu: system: Add LUKS2 support for the root file system.
> doc: Document LUKS2 GRUB support and shortcomings
> installer: Make LUKS2 the default format for encrypted devices

Applied it all after checking:

make check-system TESTS=encrypted-root-os

Thank you!

Ludo’.
Closed
?