From debbugs-submit-bounces@debbugs.gnu.org Tue May 31 06:44:49 2022 Received: (at 55723) by debbugs.gnu.org; 31 May 2022 10:44:49 +0000 Received: from localhost ([127.0.0.1]:46743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nvzMn-00011p-2d for submit@debbugs.gnu.org; Tue, 31 May 2022 06:44:49 -0400 Received: from jpoiret.xyz ([206.189.101.64]:36660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nvzMl-00011h-9U for 55723@debbugs.gnu.org; Tue, 31 May 2022 06:44:48 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 21475184D3D; Tue, 31 May 2022 10:44:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1653993884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=s1XK5Sehi0HVzaPShCv8ZDmB3Xxzyx/6AzhRx+9d+LQ=; b=EoEdo6Zo3g3jLiMiNt8po52TXb/d/wTz+phtma9zjys3y7279X0F4Gn9xlbinDd6b6yoKs U+0lqCrnL7Xq8abL8AvGYTbnHrZ7rBDUymLnQCiYS3gP9flbBShn9FWvp32g5utW/uXjRV HWnmRgRPbqvDCZndbSmLRfCagIliMpDNm+Ubt0WmZ3UNv3cE+IMZNNg2ejHUxHVLIeh5I5 u4i9t2qucV8ahCqLsgzSjE6hjgmFMC5L8qEGMBIsAgKAlQ5QkI9R5So7vmTvWaUHj/v0eq RCkUsDpN784bAgdBGUNu3GGaAjMLv4i2ZIgSJJpBRcXsOSgLuO6cMj3WzYny8Q== From: Josselin Poiret To: Lars-Dominik Braun , 55723@debbugs.gnu.org Subject: Re: bug#55723: Full disk encryption with grub-efi and LUKS2 In-Reply-To: References: Date: Tue, 31 May 2022 12:44:43 +0200 Message-ID: <87fskqgew4.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spamd-Bar: / X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello Lars, Lars-Dominik Braun writes: > Hi, > > I followed the manual to manually install Guix with full disk encryption > using LUKS2 and PBKDF2. However this leaves me with an unbootable system, > stuck at Grub’s rescue prompt, becaus [...] Content analysis details: (2.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 1.6 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 55723 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello Lars, Lars-Dominik Braun writes: > Hi, > > I followed the manual to manually install Guix with full disk encryption > using LUKS2 and PBKDF2. However this leaves me with an unbootable system, > stuck at Grub’s rescue prompt, becaus [...] Content analysis details: (2.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 1.6 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hello Lars, Lars-Dominik Braun writes: > Hi, > > I followed the manual to manually install Guix with full disk encryption > using LUKS2 and PBKDF2. However this leaves me with an unbootable system, > stuck at Grub=E2=80=99s rescue prompt, because `grub-install` apparently = does > not know how to detect a LUKS2 target and therefore does not include > the modules required to open the encrypted volume in the EFI image. See > [1]. > > I managed to manually create a core.img with the help of ArchLinux=E2=80= =99 > Wiki[2] (see also [3]), boot into the system and reconfigure with a > modified bootloader: > > [...] > > Supposedly there are also patches for grub-mkimage, but maybe we can > include a workaround like the above by default until then or remove the > section about LUKS2 entirely? Thank you for posting this bug and sorry for taking so long with this. I'd suggest that we instead add a warning that `/boot/` must be unencrypted for LUKS2+GRUB to work for now, possibly pointing to this bug. Let me explain the whole situation so that we have good summary of the LUKS2+GRUB situation: * GRUB the bootloader itself supports unlocking LUKS2 cryptodisks, with its `luks2` module, that we load via `insmod luks2` in the grub.cfg. It doesn't contain support for Argon2i yet, so only the PBKDF2 key derivation function can be used, which is unfortunately not the default for cryptsetup. * Now, while the `luks2` module lets you unlock your disk, you have the usual chicken-and-egg problem: GRUB modules are stored in /boot/grub/. If this resides on a LUKS2 drive, then you'd be out of luck! However, this is a common issue with bootloaders, and GRUB allows embedding modules inside its own image, so that some modules are preloaded. You can either create the image manually using grub-mkimage, or grub-install can take care of it for you, by detecting which modules should be embedded using a user-space version of GRUB. This is where the LUKS2 support isn't finished yet: the userspace utilities don't recognize LUKS2, and will thus not try to include luks2 and friends if /boot/grub/ is on such a device. The crux of the issue is that when running in user-space, GRUB cheats by "pretending" to mount the device itself (called cheatmounting), and actually relays all reads to the underlying dm-crypt device! For LUKS1, this works well, but LUKS2 can have multiple keyslots and data segments, each with different algorithms, and since we don't know which keyslot was used to unlock the device, we won't know which GRUB crypto modules to include. My approach at [1] is to ask device-mapper directly, but there are also other patches trying various other methods, and the consensus now seems to be that each patch does one thing well and that we should combine all of the good parts. In any case, I can send a documentation patch to warn about the current situation later today. [1] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00076.html Best, --=20 Josselin Poiret