GNU bug report logs - #55723
Full disk encryption with grub-efi and LUKS2

Previous Next

Package: guix;

Reported by: Lars-Dominik Braun <lars <at> 6xq.net>

Date: Mon, 30 May 2022 10:09:01 UTC

Severity: normal

To reply to this bug, email your comments to 55723 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#55723; Package guix. (Mon, 30 May 2022 10:09:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars-Dominik Braun <lars <at> 6xq.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 30 May 2022 10:09:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Lars-Dominik Braun <lars <at> 6xq.net>
To: bug-guix <at> gnu.org
Subject: Full disk encryption with grub-efi and LUKS2
Date: Mon, 30 May 2022 12:07:47 +0200
Hi,

I followed the manual to manually install Guix with full disk encryption
using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
stuck at Grub’s rescue prompt, because `grub-install` apparently does
not know how to detect a LUKS2 target and therefore does not include
the modules required to open the encrypted volume in the EFI image. See
[1].

I managed to manually create a core.img with the help of ArchLinux’
Wiki[2] (see also [3]), boot into the system and reconfigure with a
modified bootloader:

---snip---
(define install-grub-efi-mkimage
  "Create an Grub EFI image with included cryptomount support for luks2,
which grub-install does not handle yet."
  #~(lambda (bootloader efi-dir mount-point)
        (when efi-dir
            (let ((grub-mkimage (string-append bootloader "/bin/grub-mkimage"))
                  ;; Required modules, YMMV.
                  (modules (list "luks2" "part_gpt" "cryptodisk" "gcry_rijndael" "pbkdf2" "gcry_sha256" "ext2"))
                  (prefix (string-append mount-point "/boot/grub"))
                  ;; Different configuration required to set up a crypto
                  ;; device. Change crypto_uuid to match your output of
                  ;; `cryptsetup luksUUID /device`.
                  ;; XXX: Maybe cryptomount -a could work?
                  (config #$(plain-file "grub.cfg" "set crypto_uuid=755e547f78f44dc38dab58399e1780a6
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal"))
                  (target-esp (if (file-exists? (string-append mount-point efi-dir))
                                  (string-append mount-point efi-dir)
                                  efi-dir)))
              (apply invoke (append
                             (list
                               grub-mkimage
                              "-p" prefix
                              "-O" "x86_64-efi"
                              "-c" config
                              "-o" (string-append target-esp "/EFI/Guix/grubx64.efi"))
                             modules))))))

(define grub-efi-bootloader-luks2
  (bootloader
    (inherit grub-efi-bootloader)
    (name 'grub-efi-luks2)
    (installer install-grub-efi-mkimage)))
---snap---

Supposedly there are also patches for grub-mkimage, but maybe we can
include a workaround like the above by default until then or remove the
section about LUKS2 entirely?

Cheers,
Lars

[1] https://logs.guix.gnu.org/guix/2022-05-27.log#111808
[2] https://wiki.archlinux.org/title/GRUB#LUKS2
[3] https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Manual_configuration_of_core_image_for_early_boot





Information forwarded to bug-guix <at> gnu.org:
bug#55723; Package guix. (Tue, 31 May 2022 10:45:02 GMT) Full text and rfc822 format available.

Message #8 received at 55723 <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: Lars-Dominik Braun <lars <at> 6xq.net>, 55723 <at> debbugs.gnu.org
Subject: Re: bug#55723: Full disk encryption with grub-efi and LUKS2
Date: Tue, 31 May 2022 12:44:43 +0200
Hello Lars,

Lars-Dominik Braun <lars <at> 6xq.net> writes:

> Hi,
>
> I followed the manual to manually install Guix with full disk encryption
> using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
> stuck at Grub’s rescue prompt, because `grub-install` apparently does
> not know how to detect a LUKS2 target and therefore does not include
> the modules required to open the encrypted volume in the EFI image. See
> [1].
>
> I managed to manually create a core.img with the help of ArchLinux’
> Wiki[2] (see also [3]), boot into the system and reconfigure with a
> modified bootloader:
>
> [...]
>
> Supposedly there are also patches for grub-mkimage, but maybe we can
> include a workaround like the above by default until then or remove the
> section about LUKS2 entirely?

Thank you for posting this bug and sorry for taking so long with this.
I'd suggest that we instead add a warning that `/boot/` must be
unencrypted for LUKS2+GRUB to work for now, possibly pointing to this
bug.

Let me explain the whole situation so that we have good summary of the
LUKS2+GRUB situation:

* GRUB the bootloader itself supports unlocking LUKS2 cryptodisks, with
  its `luks2` module, that we load via `insmod luks2` in the grub.cfg.
  It doesn't contain support for Argon2i yet, so only the PBKDF2 key
  derivation function can be used, which is unfortunately not the
  default for cryptsetup.

* Now, while the `luks2` module lets you unlock your disk, you have the
  usual chicken-and-egg problem: GRUB modules are stored in
  /boot/grub/.  If this resides on a LUKS2 drive, then you'd be out of
  luck!  However, this is a common issue with bootloaders, and GRUB
  allows embedding modules inside its own image, so that some modules
  are preloaded.  You can either create the image manually using
  grub-mkimage, or grub-install can take care of it for you, by
  detecting which modules should be embedded using a user-space version
  of GRUB.  This is where the LUKS2 support isn't finished yet: the
  userspace utilities don't recognize LUKS2, and will thus not try to
  include luks2 and friends if /boot/grub/ is on such a device.

The crux of the issue is that when running in user-space, GRUB cheats by
"pretending" to mount the device itself (called cheatmounting), and
actually relays all reads to the underlying dm-crypt device!  For LUKS1,
this works well, but LUKS2 can have multiple keyslots and data segments,
each with different algorithms, and since we don't know which keyslot
was used to unlock the device, we won't know which GRUB crypto modules
to include.  My approach at [1] is to ask device-mapper directly, but
there are also other patches trying various other methods, and the
consensus now seems to be that each patch does one thing well and that
we should combine all of the good parts.

In any case, I can send a documentation patch to warn about the current
situation later today.

[1] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00076.html

Best,
-- 
Josselin Poiret




Information forwarded to bug-guix <at> gnu.org:
bug#55723; Package guix. (Tue, 31 May 2022 14:37:02 GMT) Full text and rfc822 format available.

Message #11 received at 55723 <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: Josselin Poiret <dev <at> jpoiret.xyz>, Lars-Dominik Braun <lars <at> 6xq.net>,
 55723 <at> debbugs.gnu.org
Subject: [PATCH] doc: Warn about LUKS2-encrypted boot not working with GRUB.
Date: Tue, 31 May 2022 16:36:37 +0200
* doc/guix.texi (Disk Partitioning): Do it.
---
 doc/guix.texi | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 1666466958..c7f6070ced 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2560,6 +2560,11 @@ for @command{cryptsetup luksFormat}.  You can check which key derivation
 function is being used by a device by running @command{cryptsetup
 luksDump @var{device}}, and looking for the PBKDF field of your
 keyslots.
+
+Note also that having @file{/boot/} reside on a LUKS2-encrypted device
+is currently unsupported because of a GRUB 2.06 bug, see
+@url{https://issues.guix.gnu.org/55723, bug #55723}.  The graphical
+installer defaults to LUKS1 for this reason.
 @end quotation
 
 Assuming you want to store the root partition on @file{/dev/sda2}, the
-- 
2.36.0





Information forwarded to bug-guix <at> gnu.org:
bug#55723; Package guix. (Thu, 02 Jun 2022 13:45:02 GMT) Full text and rfc822 format available.

Message #14 received at 55723 <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Josselin Poiret <dev <at> jpoiret.xyz>, Lars-Dominik Braun <lars <at> 6xq.net>,
 55723 <at> debbugs.gnu.org
Subject: Re: bug#55723: Full disk encryption with grub-efi and LUKS2
Date: Thu, 02 Jun 2022 15:44:26 +0200
[Message part 1 (text/plain, inline)]
Hello Josselin and Lars-Dominik

Josselin Poiret via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

[...]

>> Supposedly there are also patches for grub-mkimage, but maybe we can
>> include a workaround like the above by default until then or remove the
>> section about LUKS2 entirely?
>
> Thank you for posting this bug and sorry for taking so long with this.
> I'd suggest that we instead add a warning that `/boot/` must be
> unencrypted for LUKS2+GRUB to work for now, possibly pointing to this
> bug.

As Josselin wrote in the proposed patch, actually /boot/ on LUKS1 is
working well

In case it is helpful, it's possible to "Downgrade" a LUKS2 volume to
LUKS1, I found this guide useful:
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

[...]

> to include.  My approach at [1] is to ask device-mapper directly, but
> there are also other patches trying various other methods, and the
> consensus now seems to be that each patch does one thing well and that
> we should combine all of the good parts.

Thank you very much for the update and the work on GRUB!

Please is there any upstream (GRUB) bug report we can point to in this
one so we can follow the situation and know when upsstream will release
the patch?

[...]

Happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#55723; Package guix. (Sun, 05 Jun 2022 10:39:02 GMT) Full text and rfc822 format available.

Message #17 received at 55723 <at> debbugs.gnu.org (full text, mbox):

From: Lars-Dominik Braun <lars <at> 6xq.net>
To: Josselin Poiret <dev <at> jpoiret.xyz>
Cc: 55723 <at> debbugs.gnu.org
Subject: Re: [PATCH] doc: Warn about LUKS2-encrypted boot not working with
 GRUB.
Date: Sun, 5 Jun 2022 12:38:03 +0200
Hi Josselin,

> +Note also that having @file{/boot/} reside on a LUKS2-encrypted device
> +is currently unsupported because of a GRUB 2.06 bug, see
> +@url{https://issues.guix.gnu.org/55723, bug #55723}.  The graphical
> +installer defaults to LUKS1 for this reason.
instead of adding yet another exception, why not just document how
to do it with LUKS1, which – as I understand it – works without
these quirks?

Cheers,
Lars





This bug report was last modified 1 year and 297 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.