GNU bug report logs -
#51514
[PATCH 0/2] Add support for LUKS2 root partition
Previous Next
Reported by: Josselin Poiret <dev <at> jpoiret.xyz>
Date: Sat, 30 Oct 2021 15:57:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 51514 in the body.
You can then email your comments to 51514 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Sat, 30 Oct 2021 15:57:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Josselin Poiret <dev <at> jpoiret.xyz>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 30 Oct 2021 15:57:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
This patchset adds support for a LUKS2 root partition, leveraging its
Grub support since 2.06, and making sure that the Cryptsetup run-time
locking directory /var/cryptsetup/ exists before trying to unlock
devices (this is required for LUKS2): this used to fail in early
userspace because /var/ did not exist. I've also added some
documentation on the limited support: Grub only supports PKBDF2 and
not Argon2i which is the default key derivation function. The example
given in the Disk Partitioning section was updated as well to use
LUKS2.
My testing setup was: using a Guix VM, install onto a qcow2 disk which
is itself launched with QEMU. It felt a bit convoluted (especially
transferring the WIP guix to the VM, then building it), and I'll see if
I can simplify this workflow a bit, but everything worked fine with
those patches.
Best,
Josselin Poiret
Josselin Poiret (2):
gnu: system: Add LUKS2 support for the root file system.
doc: Document LUKS2 Grub support and shortcomings
doc/guix.texi | 19 ++++++++++++++-----
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
3 files changed, 23 insertions(+), 9 deletions(-)
--
2.33.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Sat, 30 Oct 2021 16:13:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 51514 <at> debbugs.gnu.org (full text, mbox):
* gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod
luks2'.
* gnu/system/mapped-devices.scm (open-luks-device): Create
'/run/cryptsetup/' directory.
---
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index d8e888ff40..42f71aa4db 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev)
;; Other type of devices aren't implemented.
#~()))
(let ((devices (map crypto-device->cryptomount store-crypto-devices))
- ;; XXX: Add luks2 when grub 2.06 is packaged.
- (modules #~(format port "insmod luks~%")))
+ (modules #~(format port "insmod luks~%insmod luks2~%")))
(if (null? devices)
devices
(cons modules devices))))
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 518dbc4fe8..95944b03c8 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -192,7 +192,8 @@ (define (open-luks-device source targets)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
- '((gnu build file-systems)))
+ '((gnu build file-systems)
+ (guix build utils))) ;; For mkdir-p
(match targets
((target)
#~(let ((source #$(if (uuid? source)
@@ -201,7 +202,12 @@ (define (open-luks-device source targets)
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
- #:select (find-partition-by-luks-uuid)))
+ #:select (find-partition-by-luks-uuid))
+ ((guix build utils) #:select (mkdir-p)))
+
+ ;; Create '/run/cryptsetup/' if it does not exist, as device locking
+ ;; is mandatory for LUKS2.
+ (mkdir-p "/run/cryptsetup/")
;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the
;; whole world inside the initrd (for when we're in an initrd).
--
2.33.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Sat, 30 Oct 2021 16:14:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 51514 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
Partitioning]: Document it.
---
doc/guix.texi | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 22215214e0..4420f67050 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2
If you are instead planning to encrypt the root partition, you can use
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
-@code{man cryptsetup}} for more information). Assuming you want to
-store the root partition on @file{/dev/sda2}, the command sequence would
-be along these lines:
+@code{man cryptsetup}} for more information).
+
+@quotation Warning
+Note that Grub can unlock LUKS2 devices since version 2.06, but only
+supports the PBKDF2 key derivation function, which is not the default
+for Cryptsetup on Guix. You can check which key derivation function is
+being used by a device by running @command{cryptsetup luksDump <dev>},
+and looking for the PBKDF field of your keyslots.
+@end quotation
+
+Assuming you want to store the root partition on @file{/dev/sda2}, the
+command sequence would be along these lines:
@example
-cryptsetup luksFormat /dev/sda2
-cryptsetup open --type luks /dev/sda2 my-partition
+cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup open /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
--
2.33.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Fri, 12 Nov 2021 22:33:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 51514 <at> debbugs.gnu.org (full text, mbox):
Hello!
I haven’t tested it, but the patches LGTM. Nitpick:
Josselin Poiret <dev <at> jpoiret.xyz> skribis:
> * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
> Partitioning]: Document it.
[…]
> +@quotation Warning
> +Note that Grub can unlock LUKS2 devices since version 2.06, but only
s/Grub/GRUB/ :-)
> +supports the PBKDF2 key derivation function, which is not the default
> +for Cryptsetup on Guix. You can check which key derivation function is
> +being used by a device by running @command{cryptsetup luksDump <dev>},
@var{device} rather than <dev>.
> +and looking for the PBKDF field of your keyslots.
Should we change “which is not the default for Cryptsetup on Guix” to
“but @command{cryptsetup luksFormat} does not use PBKDF2 by default”?
> +@end quotation
> +
> +Assuming you want to store the root partition on @file{/dev/sda2}, the
> +command sequence would be along these lines:
^
+ “to format it as a LUKS2 partition”
Could you send an updated version of this patch?
Besides, do you think we should change the installer to create LUKS2
partitions now in (gnu installer parted)?
Thanks!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Mon, 15 Nov 2021 20:54:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 51514 <at> debbugs.gnu.org (full text, mbox):
* gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod
luks2'.
* gnu/system/mapped-devices.scm (open-luks-device): Create
'/run/cryptsetup/' directory.
---
gnu/bootloader/grub.scm | 3 +--
gnu/system/mapped-devices.scm | 10 ++++++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index d8e888ff40..42f71aa4db 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev)
;; Other type of devices aren't implemented.
#~()))
(let ((devices (map crypto-device->cryptomount store-crypto-devices))
- ;; XXX: Add luks2 when grub 2.06 is packaged.
- (modules #~(format port "insmod luks~%")))
+ (modules #~(format port "insmod luks~%insmod luks2~%")))
(if (null? devices)
devices
(cons modules devices))))
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 518dbc4fe8..96a381d5fe 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -192,7 +192,8 @@ (define (open-luks-device source targets)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
- '((gnu build file-systems)))
+ '((gnu build file-systems)
+ (guix build utils))) ;; For mkdir-p
(match targets
((target)
#~(let ((source #$(if (uuid? source)
@@ -201,7 +202,12 @@ (define (open-luks-device source targets)
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
- #:select (find-partition-by-luks-uuid)))
+ #:select (find-partition-by-luks-uuid))
+ ((guix build utils) #:select (mkdir-p)))
+
+ ;; Create '/run/cryptsetup/' if it does not exist, as device locking
+ ;; is mandatory for LUKS2.
+ (mkdir-p "/run/cryptsetup/")
;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the
;; whole world inside the initrd (for when we're in an initrd).
--
2.33.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Mon, 15 Nov 2021 20:54:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 51514 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk
Partitioning]: Document it.
---
doc/guix.texi | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1b10e2d626..95d286a836 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -98,6 +98,7 @@ Copyright @copyright{} 2021 pukkamustard@*
Copyright @copyright{} 2021 Alice Brenon@*
Copyright @copyright{} 2021 Andrew Tropin@*
Copyright @copyright{} 2021 Sarah Morgensen@*
+Copyright @copyright{} 2021 Josselin Poiret@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -2492,13 +2493,24 @@ mkfs.ext4 -L my-root /dev/sda2
If you are instead planning to encrypt the root partition, you can use
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
-@code{man cryptsetup}} for more information). Assuming you want to
-store the root partition on @file{/dev/sda2}, the command sequence would
-be along these lines:
+@code{man cryptsetup}} for more information).
+
+@quotation Warning
+Note that GRUB can unlock LUKS2 devices since version 2.06, but only
+supports the PBKDF2 key derivation function, which is not the default
+for @command{cryptsetup luksFormat}. You can check which key derivation
+function is being used by a device by running @command{cryptsetup
+luksDump @var{device}}, and looking for the PBKDF field of your
+keyslots.
+@end quotation
+
+Assuming you want to store the root partition on @file{/dev/sda2}, the
+command sequence to format it as a LUKS2 partition would be along these
+lines:
@example
-cryptsetup luksFormat /dev/sda2
-cryptsetup open --type luks /dev/sda2 my-partition
+cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
+cryptsetup open /dev/sda2 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
--
2.33.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Mon, 15 Nov 2021 20:54:03 GMT)
Full text and
rfc822 format available.
Message #23 received at 51514 <at> debbugs.gnu.org (full text, mbox):
* gnu/installer/parted.scm (luks-format-and-open): Change it.
---
gnu/installer/parted.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/installer/parted.scm b/gnu/installer/parted.scm
index cbe676017b..00de0a30fa 100644
--- a/gnu/installer/parted.scm
+++ b/gnu/installer/parted.scm
@@ -1165,8 +1165,9 @@ (define (luks-format-and-open user-partition)
(lambda (key-file)
(syslog "formatting and opening LUKS entry ~s at ~s~%"
label file-name)
- (system* "cryptsetup" "-q" "luksFormat" file-name key-file)
- (system* "cryptsetup" "open" "--type" "luks"
+ (system* "cryptsetup" "-q" "luksFormat" "--type" "luks2"
+ "--pbkdf" "pbkdf2" file-name key-file)
+ (system* "cryptsetup" "open"
"--key-file" key-file file-name label)))))
(define (luks-close user-partition)
--
2.33.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#51514; Package
guix-patches.
(Mon, 15 Nov 2021 20:54:03 GMT)
Full text and
rfc822 format available.
Message #26 received at 51514 <at> debbugs.gnu.org (full text, mbox):
Hello again Ludovic,
Here is an updated patchset, which includes the changes you suggested,
as well as update the installer to use LUKS2 by default (I tested it
in a VM and it works pretty well). I don't think there's any reason
not to use LUKS2 by default now that GRUB 2.06 supports it, and in any
case if there are specific needs they can be addressed by a manual
installation.
Best,
Josselin Poiret (3):
gnu: system: Add LUKS2 support for the root file system.
doc: Document LUKS2 GRUB support and shortcomings
installer: Make LUKS2 the default format for encrypted devices
doc/guix.texi | 22 +++++++++++++++++-----
gnu/bootloader/grub.scm | 3 +--
gnu/installer/parted.scm | 5 +++--
gnu/system/mapped-devices.scm | 10 ++++++++--
4 files changed, 29 insertions(+), 11 deletions(-)
--
2.33.1
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Wed, 01 Dec 2021 16:23:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Josselin Poiret <dev <at> jpoiret.xyz>:
bug acknowledged by developer.
(Wed, 01 Dec 2021 16:23:01 GMT)
Full text and
rfc822 format available.
Message #31 received at 51514-done <at> debbugs.gnu.org (full text, mbox):
Hello Josselin,
Josselin Poiret <dev <at> jpoiret.xyz> skribis:
> Here is an updated patchset, which includes the changes you suggested,
> as well as update the installer to use LUKS2 by default (I tested it
> in a VM and it works pretty well). I don't think there's any reason
> not to use LUKS2 by default now that GRUB 2.06 supports it, and in any
> case if there are specific needs they can be addressed by a manual
> installation.
>
> Best,
>
> Josselin Poiret (3):
> gnu: system: Add LUKS2 support for the root file system.
> doc: Document LUKS2 GRUB support and shortcomings
> installer: Make LUKS2 the default format for encrypted devices
Applied it all after checking:
make check-system TESTS=encrypted-root-os
Thank you!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 30 Dec 2021 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 111 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.