From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 08 14:21:16 2016 Received: (at 21843) by debbugs.gnu.org; 8 Mar 2016 19:21:16 +0000 Received: from localhost ([127.0.0.1]:40019 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adNC0-0006tR-B7 for submit@debbugs.gnu.org; Tue, 08 Mar 2016 14:21:16 -0500 Received: from mailrelay7.public.one.com ([91.198.169.215]:63765) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adNBx-0006t9-Uw for 21843@debbugs.gnu.org; Tue, 08 Mar 2016 14:21:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=enge.fr; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type:in-reply-to: references; bh=3bLtG9dw0jCS2LhD4dBeI9Xotxe7NZanBXpOD3HufDg=; b=o7KzMFzG13DLl1tEWZR8J96o6sQ11ue6cWF9y9Q2n9FRwNgsvqKH13jP1hG/z3k+85unz1N3+MQ54 phlHVR7YYNRNoPIC7LA6TevLOOkqGmZG27yvAkjEqntNej+U/fyPm+Ts5rJz2OSKwy8q+tlQ0ckC/i kRGLFh3jXp1VJEmU= X-HalOne-Cookie: e9b4f9c7a8af5d1f70483a58b2bd1e60570afd8c X-HalOne-ID: e7d52955-e562-11e5-bb5b-b82a72cffc46 Received: from solar (unknown [92.89.73.211]) by smtpfilter4.public.one.com (Halon Mail Gateway) with ESMTPSA; Tue, 8 Mar 2016 19:21:05 +0000 (UTC) Date: Tue, 8 Mar 2016 20:21:04 +0100 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots Message-ID: <20160308192104.GA22722@solar> References: <87twozi0ql.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87twozi0ql.fsf@gnu.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) I tried the installation with unencrypted /boot, encrypted / using the following snippet in the configuration file: (bootloader (grub-configuration (device "/dev/sda"))) (mapped-devices (list (mapped-device (source "/dev/sda2") (target "root") (type luks-device-mapping)))) (file-systems (cons* (file-system (device "/dev/mapper/root") (title 'device) (mount-point "/") (type "ext4") (needed-for-boot? #t)) (file-system (device "boot") (title 'label) (mount-point "/boot") (type "ext4") (needed-for-boot? #t)) %base-file-systems)) Grub did not start, as it did not find the kernel etc. in /gnu/store. So I typed "c" at the grub menu (in text mode without the splash screen, which also resides in /gnu/store), and issued the following two commands: insmod luks cryptomount hd0,msdos2 This prompted me for the password a first time. The "insmod cryptodisk" was not necessary. There was a new device called "(crypto0)" now; "ls (crypto0)/" showed, among others, the /gnu directory. Now I still needed to define the kernel; running "boot" was not enough. I executed configfile (hd0,msdos1)/grub/grub.cfg and now obtained the normal grub menu (with the splash screen) and could now boot as usual. I was prompted a second time for the password. According to the grub.cfg, grub searches for the kernel by file name and uses the device where it is found automatically as root. So the second time it must also have searched (crypto0). This can be automated; I just added the two lines insmod luks cryptomount hd0,msdos2 to the top of grub.cfg, and the next time everything worked out of the box (with two password prompts: the first one in text mode before grub was visibly started, then the grub splash screen appeared, then during the normal boot). The only difficulty here is the mapping between the mapped-device /dev/sda2 and the grub device hd0,msdos2. We would need to determine this automatically when creating the grub.cfg during the call to "guix system init". Maybe UUIDs can help. The command crytsetup luksUUID /dev/sda2 returns a hex string with dashes, in my case 1aa...-... This could be run during "guix system init" with the source field of mapped-device. The grub manual at: https://www.gnu.org/software/grub/manual/html_node/Device-syntax.html#Device-syntax mentions a device syntax such as (cryptouuid/123456789abcdef0123456789abcdef0) I tried replacing cryptomount hd0,msdos2 by cryptomount cryptouuid/1aa... (without the dashes), but this did not work. The strange thing is that grub somehow knows this uuid; when I type cryptomount hd0,msdos2 I am presented with the prompt Enter passphrase for hd0,msdos2 (1aa...): So I am stuck here. A first tentative solution would be to look for mapped-devices of type luks-device-mapping that correspond to file-systems with needed-for-boot? set to #t, and then add the corresponding "cryptomount" lines to grub.cfg, with the obvious mapping sda->hd0, sdb->hd1,..., and 1->msdos1, 2->msdos2 and so on. This would not be perfect, but at least better than what we have now. And the line "insmod luks" could be added unconditionally (or only in the presence of a mapped-device of type luks-device-mapping). Andreas