From unknown Tue Aug 19 21:04:08 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#21843 <21843@debbugs.gnu.org> To: bug#21843 <21843@debbugs.gnu.org> Subject: Status: Generated grub.cfg does not support encrypted roots Reply-To: bug#21843 <21843@debbugs.gnu.org> Date: Wed, 20 Aug 2025 04:04:08 +0000 retitle 21843 Generated grub.cfg does not support encrypted roots reassign 21843 guix submitter 21843 ludo@gnu.org (Ludovic Court=C3=A8s) severity 21843 important tag 21843 patch fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 06 10:52:49 2015 Received: (at submit) by debbugs.gnu.org; 6 Nov 2015 15:52:49 +0000 Received: from localhost ([127.0.0.1]:56013 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZujJp-0008KN-11 for submit@debbugs.gnu.org; Fri, 06 Nov 2015 10:52:49 -0500 Received: from eggs.gnu.org ([208.118.235.92]:53971) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZujJn-0008KG-8z for submit@debbugs.gnu.org; Fri, 06 Nov 2015 10:52:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZujJl-0007lg-W7 for submit@debbugs.gnu.org; Fri, 06 Nov 2015 10:52:46 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:38259) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZujJl-0007lZ-So for submit@debbugs.gnu.org; Fri, 06 Nov 2015 10:52:45 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35656) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZujJh-0007nH-MD for bug-guix@gnu.org; Fri, 06 Nov 2015 10:52:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZujJc-0007gQ-Rp for bug-guix@gnu.org; Fri, 06 Nov 2015 10:52:41 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52759) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZujJc-0007gA-Pd for bug-guix@gnu.org; Fri, 06 Nov 2015 10:52:36 -0500 Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:53892 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1ZujJc-0000l6-Bh for bug-guix@gnu.org; Fri, 06 Nov 2015 10:52:36 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: bug-guix@gnu.org Subject: Generated grub.cfg does not support encrypted roots X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Brumaire an 224 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x3D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Fri, 06 Nov 2015 16:52:34 +0100 Message-ID: <87twozi0ql.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) As reported by =E5=AE=8B=E6=96=87=E6=AD=A6 at : Follow the manual to setup encryted root, using the desktop.scm template, but at the final step, it failed with: Path '/mnt/boot/grub' is not readable by GRUB on boot. Installation is impossible. Aborting. (can be reproduced by `grub-install /dev/sdb --boot-directory /mnt/boot') After search, it seems that an un-encrypted boot partition is needed: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_syst= em#Preparing_the_boot_partition So, I run fdisk to add a boot partiotion, finally install finished! But it can't boot, I have to mount the encrypted root in Grub's cmdline: insmod cryptodisk insmod luks cryptomount hd0,msdos2 Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 29 09:24:36 2016 Received: (at control) by debbugs.gnu.org; 29 Feb 2016 14:24:36 +0000 Received: from localhost ([127.0.0.1]:52017 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaOkW-0001ST-83 for submit@debbugs.gnu.org; Mon, 29 Feb 2016 09:24:36 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:50011) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaOkU-0001SA-Qm for control@debbugs.gnu.org; Mon, 29 Feb 2016 09:24:35 -0500 X-IronPort-AV: E=Sophos;i="5.22,520,1449529200"; d="scan'208";a="166345327" Received: from pluto.bordeaux.inria.fr (HELO pluto) ([193.50.110.57]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 29 Feb 2016 15:24:29 +0100 Date: Mon, 29 Feb 2016 15:24:28 +0100 Message-Id: <8760x7h9wj.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #21843 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) severity 21843 important From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 08 14:21:16 2016 Received: (at 21843) by debbugs.gnu.org; 8 Mar 2016 19:21:16 +0000 Received: from localhost ([127.0.0.1]:40019 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adNC0-0006tR-B7 for submit@debbugs.gnu.org; Tue, 08 Mar 2016 14:21:16 -0500 Received: from mailrelay7.public.one.com ([91.198.169.215]:63765) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adNBx-0006t9-Uw for 21843@debbugs.gnu.org; Tue, 08 Mar 2016 14:21:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=enge.fr; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type:in-reply-to: references; bh=3bLtG9dw0jCS2LhD4dBeI9Xotxe7NZanBXpOD3HufDg=; b=o7KzMFzG13DLl1tEWZR8J96o6sQ11ue6cWF9y9Q2n9FRwNgsvqKH13jP1hG/z3k+85unz1N3+MQ54 phlHVR7YYNRNoPIC7LA6TevLOOkqGmZG27yvAkjEqntNej+U/fyPm+Ts5rJz2OSKwy8q+tlQ0ckC/i kRGLFh3jXp1VJEmU= X-HalOne-Cookie: e9b4f9c7a8af5d1f70483a58b2bd1e60570afd8c X-HalOne-ID: e7d52955-e562-11e5-bb5b-b82a72cffc46 Received: from solar (unknown [92.89.73.211]) by smtpfilter4.public.one.com (Halon Mail Gateway) with ESMTPSA; Tue, 8 Mar 2016 19:21:05 +0000 (UTC) Date: Tue, 8 Mar 2016 20:21:04 +0100 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots Message-ID: <20160308192104.GA22722@solar> References: <87twozi0ql.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87twozi0ql.fsf@gnu.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) I tried the installation with unencrypted /boot, encrypted / using the following snippet in the configuration file: (bootloader (grub-configuration (device "/dev/sda"))) (mapped-devices (list (mapped-device (source "/dev/sda2") (target "root") (type luks-device-mapping)))) (file-systems (cons* (file-system (device "/dev/mapper/root") (title 'device) (mount-point "/") (type "ext4") (needed-for-boot? #t)) (file-system (device "boot") (title 'label) (mount-point "/boot") (type "ext4") (needed-for-boot? #t)) %base-file-systems)) Grub did not start, as it did not find the kernel etc. in /gnu/store. So I typed "c" at the grub menu (in text mode without the splash screen, which also resides in /gnu/store), and issued the following two commands: insmod luks cryptomount hd0,msdos2 This prompted me for the password a first time. The "insmod cryptodisk" was not necessary. There was a new device called "(crypto0)" now; "ls (crypto0)/" showed, among others, the /gnu directory. Now I still needed to define the kernel; running "boot" was not enough. I executed configfile (hd0,msdos1)/grub/grub.cfg and now obtained the normal grub menu (with the splash screen) and could now boot as usual. I was prompted a second time for the password. According to the grub.cfg, grub searches for the kernel by file name and uses the device where it is found automatically as root. So the second time it must also have searched (crypto0). This can be automated; I just added the two lines insmod luks cryptomount hd0,msdos2 to the top of grub.cfg, and the next time everything worked out of the box (with two password prompts: the first one in text mode before grub was visibly started, then the grub splash screen appeared, then during the normal boot). The only difficulty here is the mapping between the mapped-device /dev/sda2 and the grub device hd0,msdos2. We would need to determine this automatically when creating the grub.cfg during the call to "guix system init". Maybe UUIDs can help. The command crytsetup luksUUID /dev/sda2 returns a hex string with dashes, in my case 1aa...-... This could be run during "guix system init" with the source field of mapped-device. The grub manual at: https://www.gnu.org/software/grub/manual/html_node/Device-syntax.html#Device-syntax mentions a device syntax such as (cryptouuid/123456789abcdef0123456789abcdef0) I tried replacing cryptomount hd0,msdos2 by cryptomount cryptouuid/1aa... (without the dashes), but this did not work. The strange thing is that grub somehow knows this uuid; when I type cryptomount hd0,msdos2 I am presented with the prompt Enter passphrase for hd0,msdos2 (1aa...): So I am stuck here. A first tentative solution would be to look for mapped-devices of type luks-device-mapping that correspond to file-systems with needed-for-boot? set to #t, and then add the corresponding "cryptomount" lines to grub.cfg, with the obvious mapping sda->hd0, sdb->hd1,..., and 1->msdos1, 2->msdos2 and so on. This would not be perfect, but at least better than what we have now. And the line "insmod luks" could be added unconditionally (or only in the presence of a mapped-device of type luks-device-mapping). Andreas From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 08 14:33:19 2016 Received: (at 21843) by debbugs.gnu.org; 8 Mar 2016 19:33:19 +0000 Received: from localhost ([127.0.0.1]:40031 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adNNf-0007Ch-Lg for submit@debbugs.gnu.org; Tue, 08 Mar 2016 14:33:19 -0500 Received: from mailrelay1.public.one.com ([91.198.169.124]:54023) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adNNe-0007CU-1N for 21843@debbugs.gnu.org; Tue, 08 Mar 2016 14:33:18 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=enge.fr; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type:in-reply-to: references; bh=EZQBU0V3UmULgQQUzpFGcfbf3cOrb9IXiXNDkhRwLvc=; b=SnCwzTyG0o7hcA9XmRJWS5EjT2MT3K3nmwjc8rbYp/DrQCH2A0g/uXYsPxxIEtX9MbZRyidd7pA6U MQnwKBBbpTG0/6yLg9IsbulY0KPVh+imyLWYH34o1/F6QOh/dXvNj40x9zipFWtR3ca3W4jrsZAE8k /H5MmGyI9B5GuhjU= X-HalOne-Cookie: 8ab1e2aa15d6926968d1556ae10f4753c19fb5d8 X-HalOne-ID: 97ef9bea-e564-11e5-a8e4-b8ca3afa9d73 Received: from solar (unknown [92.89.73.211]) by smtpfilter1.public.one.com (Halon Mail Gateway) with ESMTPSA; Tue, 8 Mar 2016 19:33:10 +0000 (UTC) Date: Tue, 8 Mar 2016 20:33:09 +0100 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots Message-ID: <20160308193309.GA2251@solar> References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160308192104.GA22722@solar> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) What is needed are the following two lines at the beginning of grub.cfg: insmod luks cryptomount -u 1aa... where 1aa... is the result of "cryptsetup luksUUID /dev/sda2". So the logic outlined in my previous message works: Determine the mapped-devices /dev/sdXY of type luks-device-mapping that lead to a file-system with needed-for-boot? set to #t. Using cryptsetup luksUUID /dev/sdXY determine a corresponding uuid 12345...0. If any such mapped-device exists, add insmod luks as the first line of grub.cfg. For any such mapped-device, add a line cryptomount -u 12345...0 right after that. To simplify the logic, we could also move the needed-for-boot? parameter to mapped-device, or add such a parameter there. Andreas From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 10 04:18:01 2016 Received: (at 21843) by debbugs.gnu.org; 10 Mar 2016 09:18:01 +0000 Received: from localhost ([127.0.0.1]:42247 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adwjJ-0007Eu-5D for submit@debbugs.gnu.org; Thu, 10 Mar 2016 04:18:01 -0500 Received: from eggs.gnu.org ([208.118.235.92]:59559) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adwjH-0007Eh-Cu for 21843@debbugs.gnu.org; Thu, 10 Mar 2016 04:17:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1adwj7-0004lc-A5 for 21843@debbugs.gnu.org; Thu, 10 Mar 2016 04:17:54 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38395) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1adwj7-0004lO-72; Thu, 10 Mar 2016 04:17:49 -0500 Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:42012 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1adwj6-0001wG-Js; Thu, 10 Mar 2016 04:17:48 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Andreas Enge Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 21 =?utf-8?Q?Vent=C3=B4se?= an 224 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x3D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Thu, 10 Mar 2016 10:17:46 +0100 In-Reply-To: <20160308193309.GA2251@solar> (Andreas Enge's message of "Tue, 8 Mar 2016 20:33:09 +0100") Message-ID: <8760wuy9mt.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Andreas Enge skribis: > What is needed are the following two lines at the beginning of grub.cfg: > > insmod luks > cryptomount -u 1aa... > > where 1aa... is the result of "cryptsetup luksUUID /dev/sda2". > > So the logic outlined in my previous message works: > Determine the mapped-devices /dev/sdXY of type luks-device-mapping that > lead to a file-system with needed-for-boot? set to #t. > Using > cryptsetup luksUUID /dev/sdXY > determine a corresponding uuid 12345...0. > If any such mapped-device exists, add > insmod luks > as the first line of grub.cfg. For any such mapped-device, add a line > cryptomount -u 12345...0 > right after that. IIUC we don=E2=80=99t *have* to pass the UUID to =E2=80=98cryptomount=E2=80= =99; we could also pass the device name, in GRUB format, which would allow us to use the same strategy as in =E2=80=98grub-root-search=E2=80=99 in (gnu system grub)= =E2=80=A6 with the difficulty that we=E2=80=99d have to be able to map Linux /dev node names to GRUB device names. Furthermore, to allow users to specify a LUKS UUID as the =E2=80=98source= =E2=80=99 of their =E2=80=98mapped-device=E2=80=99 form, as in: (mapped-device (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID (target "root") (type luks-device-mapping)) we=E2=80=99d have to extend with a method to resolve U= UIDs (in this case, to map a UUID to a /dev node.) Thoughts? Looks like more work than I initially thought. Besides, I think we should only worry about the mapped device(s) that back / and /boot, rather than any mapped device, no? Thanks for looking into it, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 10 04:48:48 2016 Received: (at 21843) by debbugs.gnu.org; 10 Mar 2016 09:48:48 +0000 Received: from localhost ([127.0.0.1]:42267 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adxD6-0007wr-B5 for submit@debbugs.gnu.org; Thu, 10 Mar 2016 04:48:48 -0500 Received: from mailrelay7.public.one.com ([91.198.169.215]:64002) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1adxD4-0007we-U5 for 21843@debbugs.gnu.org; Thu, 10 Mar 2016 04:48:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=enge.fr; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=gUKudXb9psLkXDXZtoDetcMuCvQX09hnXXjYHxE5zrk=; b=Xj5I2u4oGD8ZBB4l8MuWw2k37ELcstL431617aNofWISX5zkCxyXHmvkFs+POtxKFNDpkC8TiunaK Ij2P9pgkso/Fge9wKy/ypLSPhZsFGRHycnx3dDFdSHbBQse1uFXROWvBta8IEGyZ7giIKnSfgeo+EV FimdErsMtk/wiahY= X-HalOne-Cookie: 8d1693335f2bb62aae11d23f6a25576ce8730b3b X-HalOne-ID: 4459a65c-e6a5-11e5-bb5b-b82a72cffc46 Received: from solar (unknown [92.89.73.211]) by smtpfilter4.public.one.com (Halon Mail Gateway) with ESMTPSA; Thu, 10 Mar 2016 09:48:39 +0000 (UTC) Date: Thu, 10 Mar 2016 10:48:37 +0100 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots Message-ID: <20160310094837.GA30197@solar> References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <8760wuy9mt.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <8760wuy9mt.fsf@gnu.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On Thu, Mar 10, 2016 at 10:17:46AM +0100, Ludovic Courtès wrote: > IIUC we don’t *have* to pass the UUID to ‘cryptomount’; we could also > pass the device name, in GRUB format Yes, but my idea was that the uuid is something we can determine at instantiation time. If the mapped device is /dev/sdd3, we can run (system* "cryptsetup" "luksUUID" "/dev/sdd3") and obtain the uuid. I suppose we could also use the grub device (hd3,msdos3) in this case, but I do not know what is the mapping between /dev nodes and these devices, and if it is actually a function that could be computed from the file name in /dev only or not. > (mapped-device > (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID > (target "root") > (type luks-device-mapping)) > we’d have to extend with a method to resolve UUIDs > (in this case, to map a UUID to a /dev node.) We can also let the users do the work (and document this in the manual), by having them supply all the informatin: (mapped-device (source "/dev/sdd3") (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44") ;LUKS UUID (target "root") (type luks-device-mapping) (needed-for-boot? #t)) > Besides, I think we should only worry about the mapped device(s) that > back / and /boot, rather than any mapped device, no? This could either be solved by determining which file systems have needed-for-boot? #t and determine the corresponding mapped devices, or by adding such a parameter for the mapped-device as in my suggestion above. Or we do it all automatically for / and /boot and drop the parameter needed-for-boot? everywhere. Andreas From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 11 03:45:19 2016 Received: (at 21843) by debbugs.gnu.org; 11 Mar 2016 08:45:19 +0000 Received: from localhost ([127.0.0.1]:44272 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aeIhD-0003cu-7j for submit@debbugs.gnu.org; Fri, 11 Mar 2016 03:45:19 -0500 Received: from eggs.gnu.org ([208.118.235.92]:38500) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aeIhB-0003ch-SW for 21843@debbugs.gnu.org; Fri, 11 Mar 2016 03:45:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aeIh3-0002iB-Lc for 21843@debbugs.gnu.org; Fri, 11 Mar 2016 03:45:12 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57092) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aeIh3-0002i7-IG; Fri, 11 Mar 2016 03:45:09 -0500 Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:42652 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1aeIh2-0002cu-Va; Fri, 11 Mar 2016 03:45:09 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Andreas Enge Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <8760wuy9mt.fsf@gnu.org> <20160310094837.GA30197@solar> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 =?utf-8?Q?Vent=C3=B4se?= an 224 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x3D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Fri, 11 Mar 2016 09:45:07 +0100 In-Reply-To: <20160310094837.GA30197@solar> (Andreas Enge's message of "Thu, 10 Mar 2016 10:48:37 +0100") Message-ID: <87r3fh4d4c.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Andreas Enge skribis: > On Thu, Mar 10, 2016 at 10:17:46AM +0100, Ludovic Court=C3=A8s wrote: >> IIUC we don=E2=80=99t *have* to pass the UUID to =E2=80=98cryptomount=E2= =80=99; we could also >> pass the device name, in GRUB format > > Yes, but my idea was that the uuid is something we can determine > at instantiation time. If the mapped device is /dev/sdd3, we can run > (system* "cryptsetup" "luksUUID" "/dev/sdd3") > and obtain the uuid. Hmm yeah, but we don=E2=80=99t even do that for regular partitions. > I suppose we could also use the grub device (hd3,msdos3) in this case, > but I do not know what is the mapping between /dev nodes and these device= s, > and if it is actually a function that could be computed from the file name > in /dev only or not. =E2=80=98grub-probe=E2=80=99 should know, I think. >> (mapped-device >> (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID >> (target "root") >> (type luks-device-mapping)) >> we=E2=80=99d have to extend with a method to resolv= e UUIDs >> (in this case, to map a UUID to a /dev node.) > > We can also let the users do the work (and document this in the manual), > by having them supply all the informatin: > > (mapped-device > (source "/dev/sdd3") > (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44") ;LUKS UUID > (target "root") > (type luks-device-mapping) > (needed-for-boot? #t)) I think the goal of providing a UUID is to not have to worry about the actual device name (which could change). The =E2=80=98needed-for-boot?=E2=80=99 flag should be unnecessary because i= t can be inferred from corresponding file systems, as is already the case. >> Besides, I think we should only worry about the mapped device(s) that >> back / and /boot, rather than any mapped device, no? > > This could either be solved by determining which file systems have > needed-for-boot? #t and determine the corresponding mapped devices, > or by adding such a parameter for the mapped-device as in my suggestion > above. > > Or we do it all automatically for / and /boot and drop the parameter > needed-for-boot? everywhere. We keep it only in =E2=80=98file-system=E2=80=99, I think. Anyway, sounds like quite a bit of work here. :-) Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 16 16:40:12 2016 Received: (at 21843) by debbugs.gnu.org; 16 Mar 2016 20:40:12 +0000 Received: from localhost ([127.0.0.1]:50476 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1agIEm-0002Se-3i for submit@debbugs.gnu.org; Wed, 16 Mar 2016 16:40:12 -0400 Received: from mailrelay7.public.one.com ([91.198.169.215]:42772) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1agIEk-0002SS-MP for 21843@debbugs.gnu.org; Wed, 16 Mar 2016 16:40:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=enge.fr; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=5+vvpvydXJUhBcEqVLcKfvhhM5Dz8wjzQSwyUqV8TZY=; b=rDW/dO/F4/8AkGcUO/YehUr7VyVS6KVMYYa2QVXoi3pvc6aM7p3sOe2eKMM470HRTHD/hzwKrD9kY j8vJ23YnFr5gOeEc4CGbFQtxuQBUfF+5espZJHB8KvVDbIECeZ1V2BSO+myEAudpGGHI4VG1KPGGtd buBZhD+zfk/VjKFo= X-HalOne-Cookie: a28154635df36ecc22fa2665c57363843c065e86 X-HalOne-ID: 426a7300-ebb7-11e5-bb5b-b82a72cffc46 Received: from solar (unknown [92.89.73.211]) by smtpfilter4.public.one.com (Halon Mail Gateway) with ESMTPSA; Wed, 16 Mar 2016 20:40:02 +0000 (UTC) Date: Wed, 16 Mar 2016 21:40:00 +0100 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots Message-ID: <20160316204000.GA8709@solar> References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <8760wuy9mt.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <8760wuy9mt.fsf@gnu.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On Thu, Mar 10, 2016 at 10:17:46AM +0100, Ludovic Courtès wrote: > Furthermore, to allow users to specify a LUKS UUID as the ‘source’ of > their ‘mapped-device’ form, as in: > (mapped-device > (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID > (target "root") > (type luks-device-mapping)) > we’d have to extend with a method to resolve UUIDs > (in this case, to map a UUID to a /dev node.) I just read a bit of the cryptsetup manual; we do not need to do the resolution, in the above example we would have the line cryptomount -u cb67fc72-0d54-4c88-9d4b-b225f30b0f44 (as discussed previously; it works at least without the dashes, we can also try to keep the dashes). And then it should be possible to open the device with cryptsetup luksOpen UUID=cb67fc72-0d54-4c88-9d4b-b225f30b0f44 root This looks for the given uuid in /dev/disk/by-uuid. I wanted to give it a try with the installation image, but unfortunately it does not contain the directory /dev/disk. Andreas From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 17 09:14:59 2016 Received: (at 21843) by debbugs.gnu.org; 17 Mar 2016 13:14:59 +0000 Received: from localhost ([127.0.0.1]:50745 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1agXlS-00060y-R7 for submit@debbugs.gnu.org; Thu, 17 Mar 2016 09:14:58 -0400 Received: from mailrelay2.public.one.com ([91.198.169.125]:19653) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1agXlQ-00060k-W5 for 21843@debbugs.gnu.org; Thu, 17 Mar 2016 09:14:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=enge.fr; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type:in-reply-to: references; bh=9cTCipouzsR3MWIF02YqAGw4tH5By98nKN283cU2+SA=; b=V7A2zvtCy8788nj/mQsiOiva2UmodSOGc8/tqbhAxckluCg6gg2iFA4pOc3GS+h4frpweyyCyb0C8 QBXWyRHxzda3/BkU3AOqV2urHBZkwOaM2tKN+gAECWlZoTI+p+TFF4SblZaqoP99NhMmZDeOwCejOr MEU6oFRyeq+bT8fU= X-HalOne-Cookie: 565b486768e8da6df33322141fbbdd40943942c2 X-HalOne-ID: 3366db2d-ec42-11e5-8278-b82a72d03b9b Received: from solar (unknown [92.89.73.211]) by smtpfilter2.public.one.com (Halon Mail Gateway) with ESMTPSA; Thu, 17 Mar 2016 13:14:37 +0000 (UTC) Date: Thu, 17 Mar 2016 14:14:35 +0100 From: Andreas Enge To: Ludovic =?iso-8859-15?Q?Court=E8s?= Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots Message-ID: <20160317131435.GA12731@solar> References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <8760wuy9mt.fsf@gnu.org> <20160316204000.GA8709@solar> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160316204000.GA8709@solar> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) On Wed, Mar 16, 2016 at 09:40:00PM +0100, Andreas Enge wrote: > I just read a bit of the cryptsetup manual; we do not need to do the > resolution, in the above example we would have the line > cryptomount -u cb67fc72-0d54-4c88-9d4b-b225f30b0f44 > (as discussed previously; it works at least without the dashes, we can also > try to keep the dashes). > And then it should be possible to open the device with > cryptsetup luksOpen UUID=cb67fc72-0d54-4c88-9d4b-b225f30b0f44 root > This looks for the given uuid in /dev/disk/by-uuid. > > I wanted to give it a try with the installation image, but unfortunately it > does not contain the directory /dev/disk. I tried it out with an already installed (and reconfigured, but that should not make a difference) GuixSD, and the above "cryptsetup" line works as well (with the dashes). Andreas From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 16 12:09:49 2016 Received: (at 21843) by debbugs.gnu.org; 16 Apr 2016 16:09:49 +0000 Received: from localhost ([127.0.0.1]:37574 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1arSn7-0007KC-Jv for submit@debbugs.gnu.org; Sat, 16 Apr 2016 12:09:49 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48603) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1arSn6-0007Jy-Re for 21843@debbugs.gnu.org; Sat, 16 Apr 2016 12:09:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1arSmw-000260-QX for 21843@debbugs.gnu.org; Sat, 16 Apr 2016 12:09:43 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56498) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1arSmw-00025w-NN for 21843@debbugs.gnu.org; Sat, 16 Apr 2016 12:09:38 -0400 Received: from 211.73.89.92.rev.sfr.net ([92.89.73.211]:49480 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1arSmw-0001YE-4x for 21843@debbugs.gnu.org; Sat, 16 Apr 2016 12:09:38 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: 21843@debbugs.gnu.org Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> Date: Sat, 16 Apr 2016 18:09:35 +0200 In-Reply-To: <87twozi0ql.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 06 Nov 2015 16:52:34 +0100") Message-ID: <878u0dfscg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.0 (------) X-Debbugs-Envelope-To: 21843 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > Path '/mnt/boot/grub' is not readable by GRUB on boot. > Installation is impossible. Aborting. > > (can be reproduced by `grub-install /dev/sdb --boot-directory > /mnt/boot') On this topic, see the story about =E2=80=98grub-probe=E2=80=99 at: https://lists.gnu.org/archive/html/help-guix/2016-01/msg00118.html Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 17 19:29:37 2016 Received: (at 21843) by debbugs.gnu.org; 17 Apr 2016 23:29:37 +0000 Received: from localhost ([127.0.0.1]:38700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1arw8H-0006SD-2X for submit@debbugs.gnu.org; Sun, 17 Apr 2016 19:29:37 -0400 Received: from eggs.gnu.org ([208.118.235.92]:46114) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1arw8F-0006Rz-Ex for 21843@debbugs.gnu.org; Sun, 17 Apr 2016 19:29:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1arw86-000474-9x for 21843@debbugs.gnu.org; Sun, 17 Apr 2016 19:29:30 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58657) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1arw86-00046i-7I; Sun, 17 Apr 2016 19:29:26 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:35102 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1arw84-0002ip-Pq; Sun, 17 Apr 2016 19:29:25 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Andreas Enge Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <8760wuy9mt.fsf@gnu.org> Date: Mon, 18 Apr 2016 01:29:22 +0200 In-Reply-To: <8760wuy9mt.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 10 Mar 2016 10:17:46 +0100") Message-ID: <87potnlsq5.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.0 (------) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > Furthermore, to allow users to specify a LUKS UUID as the =E2=80=98source= =E2=80=99 of > their =E2=80=98mapped-device=E2=80=99 form, as in: > > (mapped-device > (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID > (target "root") > (type luks-device-mapping)) > > we=E2=80=99d have to extend with a method to resolve= UUIDs > (in this case, to map a UUID to a /dev node.) Commit ffba7d498d36618ad21af3961a1a685ae91bae57 makes it possible, building on =E2=80=98find-partition-by-luks-uuid=E2=80=99 added in a1ccefaa122df7c0045eda1fe6b65d83b65ed238. (Tested on my system where /home is LUKS-encrypted.) Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 27 16:59:13 2016 Received: (at 21843) by debbugs.gnu.org; 27 Apr 2016 20:59:13 +0000 Received: from localhost ([127.0.0.1]:50757 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1avWYC-0007wc-Jz for submit@debbugs.gnu.org; Wed, 27 Apr 2016 16:59:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:50502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1avWYB-0007wQ-6y for 21843@debbugs.gnu.org; Wed, 27 Apr 2016 16:59:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1avWY2-0002GU-SV for 21843@debbugs.gnu.org; Wed, 27 Apr 2016 16:59:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58062) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1avWY2-0002GP-OK; Wed, 27 Apr 2016 16:59:02 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:58658 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1avWY1-0001j6-Ls; Wed, 27 Apr 2016 16:59:02 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Andreas Enge Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> Date: Wed, 27 Apr 2016 22:58:59 +0200 In-Reply-To: <20160308193309.GA2251@solar> (Andreas Enge's message of "Tue, 8 Mar 2016 20:33:09 +0100") Message-ID: <87y47ywyy4.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.0 (------) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Andreas Enge skribis: > What is needed are the following two lines at the beginning of grub.cfg: > > insmod luks > cryptomount -u 1aa... The attached patch does exactly that when the =E2=80=98mapped-device=E2=80= =99 source is a UUID, as is the case with the modified bare-bones.tmpl example: --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/system.scm b/gnu/system.scm index 768ca9c..da41ba6 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -210,6 +210,16 @@ as 'needed-for-boot'." (string=? (file-system-device fs) target))) file-systems))) +(define (file-system-mapped-device file-system devices) + "Return the mapped-device among DEVICES that backs FILE-SYSTEM, or #f." + (and (eq? 'device (file-system-title file-system)) + (string-prefix? "/dev/mapper/" (file-system-device file-system)) + (let ((name (string-drop (file-system-device file-system) + (string-length "/dev/mapper/")))) + (find (lambda (md) + (string=? (mapped-device-target md) name)) + devices)))) + (define (operating-system-user-mapped-devices os) "Return the subset of mapped devices that can be installed in user-land--i.e., those not needed during boot." @@ -674,6 +684,15 @@ listed in OS. The C library expects to find it under "Return the file system that contains the store of OS." (store-file-system (operating-system-file-systems os))) +(define (grub-config-for-store-file-system os) + (let ((md (file-system-mapped-device (operating-system-store-file-system os) + (operating-system-mapped-devices os)))) + (if md + (let* ((type (mapped-device-type md)) + (grub (mapped-device-kind-grub type))) + (grub (mapped-device-source md) (mapped-device-target md))) + '()))) + (define* (operating-system-grub.cfg os #:optional (old-entries '())) "Return the GRUB configuration file for OS. Use OLD-ENTRIES to populate the \"old entries\" menu." @@ -694,7 +713,8 @@ listed in OS. The C library expects to find it under #~(string-append "--load=" #$system "/boot") (operating-system-kernel-arguments os))) - (initrd #~(string-append #$system "/initrd")))))) + (initrd #~(string-append #$system "/initrd")) + (extra-lines (grub-config-for-store-file-system os)))))) (grub-configuration-file (operating-system-bootloader os) store-fs entries #:old-entries old-entries))) diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl index 87e8d1e..b85593d 100644 --- a/gnu/system/examples/bare-bones.tmpl +++ b/gnu/system/examples/bare-bones.tmpl @@ -13,9 +13,13 @@ ;; Assuming /dev/sdX is the target hard disk, and "my-root" is ;; the label of the target root file system. (bootloader (grub-configuration (device "/dev/sdX"))) + (mapped-devices (list (mapped-device + (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) + (target "foo") + (type luks-device-mapping)))) (file-systems (cons (file-system - (device "my-root") - (title 'label) + (device "/dev/mapper/foo") + (title 'device) (mount-point "/") (type "ext4")) %base-file-systems)) diff --git a/gnu/system/grub.scm b/gnu/system/grub.scm index 45b46ca..60cc044 100644 --- a/gnu/system/grub.scm +++ b/gnu/system/grub.scm @@ -114,7 +114,9 @@ (linux menu-entry-linux) (linux-arguments menu-entry-linux-arguments (default '())) ; list of string-valued gexps - (initrd menu-entry-initrd)) ; file name of the initrd as a gexp + (initrd menu-entry-initrd) ; file name of the initrd as a gexp + (extra-lines menu-entry-extra-lines ; list of string-valued gexps + (default '()))) ;;; @@ -253,13 +255,14 @@ corresponding to old generations of the system." (define entry->gexp (match-lambda - (($ label linux arguments initrd) - #~(format port "menuentry ~s { + (($ label linux arguments initrd extra-lines) + #~(format port "menuentry ~s {~{~% ~a~} ~a linux ~a/~a ~a initrd ~a }~%" #$label + (list #$@extra-lines) #$(grub-root-search store-fs #~(string-append #$linux "/" #$linux-image-name)) @@ -268,22 +271,25 @@ corresponding to old generations of the system." (mlet %store-monad ((sugar (eye-candy config store-fs system #~port))) (define builder - #~(call-with-output-file #$output - (lambda (port) - #$sugar - (format port " + #~(begin + (use-modules (ice-9 format)) + + (call-with-output-file #$output + (lambda (port) + #$sugar + (format port " set default=~a set timeout=~a~%" - #$(grub-configuration-default-entry config) - #$(grub-configuration-timeout config)) - #$@(map entry->gexp all-entries) + #$(grub-configuration-default-entry config) + #$(grub-configuration-timeout config)) + #$@(map entry->gexp all-entries) - #$@(if (pair? old-entries) - #~((format port " + #$@(if (pair? old-entries) + #~((format port " submenu \"GNU system, old configurations...\" {~%") - #$@(map entry->gexp old-entries) - (format port "}~%")) - #~())))) + #$@(map entry->gexp old-entries) + (format port "}~%")) + #~()))))) (gexp->derivation "grub.cfg" builder))) diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 450b473..ddb6c8d 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -22,7 +22,11 @@ #:use-module (gnu services) #:use-module (gnu services shepherd) #:autoload (gnu packages cryptsetup) (cryptsetup) + #:autoload (gnu build file-systems) (uuid->string) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) + #:use-module (rnrs bytevectors) #:use-module (ice-9 match) #:export (mapped-device mapped-device? @@ -34,6 +38,7 @@ mapped-device-kind? mapped-device-kind-open mapped-device-kind-close + mapped-device-kind-grub device-mapping-service-type device-mapping-service @@ -59,7 +64,9 @@ mapped-device-kind? (open mapped-device-kind-open) ;source target -> gexp (close mapped-device-kind-close ;source target -> gexp - (default (const #~(const #f))))) + (default (const #~(const #f)))) + (grub mapped-device-kind-grub ;source target -> gexp list + (default #f))) ;| #f ;;; @@ -121,10 +128,21 @@ #~(zero? (system* (string-append #$cryptsetup "/sbin/cryptsetup") "close" #$target))) +(define (grub-luks-device source target) + (if (bytevector? source) + (list "insmod luks" + (string-append "cryptomount -u " (uuid->string source))) + (raise + (condition + (&message + (message (format #f "LUKS mapped-device source must be a UUID: ~s" + source))))))) + (define luks-device-mapping ;; The type of LUKS mapped devices. (mapped-device-kind (open open-luks-device) - (close close-luks-device))) + (close close-luks-device) + (grub grub-luks-device))) ;;; mapped-devices.scm ends here --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable A good way to test it (not as root!) is: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix system reconfigure gnu/system/examples/bare-bones.tmpl /gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system /gnu/store/9l0dfdxj7ybck63r9zrgnxbyryn6f0kh-grub.cfg /gnu/store/myrc5cinlhpj2yilhzv5y0szz2ax2i6z-grub-2.00 guix system: error: symlink: Mankas permeso: "/var/guix/profiles/system-192= -link" --8<---------------cut here---------------end--------------->8--- The generated grub.cfg whose name appears above has this entry: --8<---------------cut here---------------start------------->8--- menuentry "GNU with Linux-Libre 4.5.2 (beta)" { insmod luks cryptomount -u cb67fc72-0d54-4c88-9d4b-b225f30b0f44 search --file --set /gnu/store/dd2qbz6a5pszwnzay3s8mm9yim531nz0-linux-lib= re-4.5.2/bzImage linux /gnu/store/dd2qbz6a5pszwnzay3s8mm9yim531nz0-linux-libre-4.5.2/bzIma= ge --root=3D/dev/mapper/foo --system=3D/gnu/store/fm8lbh7r3j05bkd6kbnc9xwph= 6rmy0rz-system --load=3D/gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system/= boot initrd /gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system/initrd } --8<---------------cut here---------------end--------------->8--- Now, I haven=E2=80=99t tested this in reality and would appreciate help her= e. We may have to add the patch to =E2=80=98guix-devel=E2=80=99 in (gnu packag= es package-management) to test it. Ludo=E2=80=99. --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun May 01 17:29:51 2016 Received: (at control) by debbugs.gnu.org; 1 May 2016 21:29:51 +0000 Received: from localhost ([127.0.0.1]:32885 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1awyw2-0003tW-RO for submit@debbugs.gnu.org; Sun, 01 May 2016 17:29:50 -0400 Received: from hera.aquilenet.fr ([141.255.128.1]:41181) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1awyw1-0003tP-RB for control@debbugs.gnu.org; Sun, 01 May 2016 17:29:50 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 6896F7588 for ; Sun, 1 May 2016 23:29:47 +0200 (CEST) Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OIrv1BrhPlUK for ; Sun, 1 May 2016 23:29:47 +0200 (CEST) Received: from pluto (reverse-83.fdn.fr [80.67.176.83]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 095107D0 for ; Sun, 1 May 2016 23:29:46 +0200 (CEST) Date: Sun, 01 May 2016 23:29:47 +0200 Message-Id: <871t5la2lw.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #21843 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) tags 21843 patch From debbugs-submit-bounces@debbugs.gnu.org Sun May 01 18:08:04 2016 Received: (at 21843) by debbugs.gnu.org; 1 May 2016 22:08:04 +0000 Received: from localhost ([127.0.0.1]:32892 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1awzX1-0006OJ-RB for submit@debbugs.gnu.org; Sun, 01 May 2016 18:08:03 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1awzX0-0006Nl-7c for 21843@debbugs.gnu.org; Sun, 01 May 2016 18:08:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1awzWl-0004BA-O1 for 21843@debbugs.gnu.org; Sun, 01 May 2016 18:07:53 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60870) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1awzWl-0004A9-LM for 21843@debbugs.gnu.org; Sun, 01 May 2016 18:07:47 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:34648 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1awzWg-0002aA-Me for 21843@debbugs.gnu.org; Sun, 01 May 2016 18:07:43 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: 21843@debbugs.gnu.org Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <87y47ywyy4.fsf@gnu.org> Date: Mon, 02 May 2016 00:07:39 +0200 In-Reply-To: <87y47ywyy4.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 27 Apr 2016 22:58:59 +0200") Message-ID: <87vb2x8mac.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.0 (------) X-Debbugs-Envelope-To: 21843 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > Now, I haven=E2=80=99t tested this in reality and would appreciate help h= ere. I=E2=80=99m in the process of implementing automated tests for the installa= tion process. Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 26 11:32:53 2016 Received: (at 21843) by debbugs.gnu.org; 26 Oct 2016 15:32:53 +0000 Received: from localhost ([127.0.0.1]:57712 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bzQCD-0003x7-4x for submit@debbugs.gnu.org; Wed, 26 Oct 2016 11:32:53 -0400 Received: from li622-129.members.linode.com ([212.71.249.129]:54988 helo=mira.cbaines.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bzI8F-00075E-Nw for 21843@debbugs.gnu.org; Wed, 26 Oct 2016 02:56:16 -0400 Received: by mira.cbaines.net (Postfix, from userid 113) id 5A9C513D123; Wed, 26 Oct 2016 07:56:13 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from [192.168.1.201] (88-104-164-44.dynamic.dsl.as9105.com [88.104.164.44]) by mira.cbaines.net (Postfix) with ESMTPSA id 17EDA13D11A; Wed, 26 Oct 2016 07:56:13 +0100 (BST) Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots To: =?UTF-8?Q?Ludovic_Court=c3=a8s?= , 21843@debbugs.gnu.org References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <87y47ywyy4.fsf@gnu.org> <87vb2x8mac.fsf@gnu.org> From: Christopher Baines Message-ID: <7778a48f-1d46-9fb6-dfa3-92e398f0bbeb@cbaines.net> Date: Wed, 26 Oct 2016 07:56:12 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: <87vb2x8mac.fsf@gnu.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 21843 X-Mailman-Approved-At: Wed, 26 Oct 2016 11:32:51 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) On 01/05/16 23:07, Ludovic Courtès wrote: > ludo@gnu.org (Ludovic Courtès) skribis: > >> Now, I haven’t tested this in reality and would appreciate help here. > > I’m in the process of implementing automated tests for the installation > process. I've been looking at this bug, as I've got a new laptop which I would like to install GuixSD on, and I would like to use an encrypted root partition. Regarding the system tests, it looks to me like they do exist now, but so far I've been unable to run them (I get an error related to hash mismatch of module-import-compiled, I want to try getting it to fallback, but first I need to work out where Guix is being invoked...). From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 23 15:21:18 2016 Received: (at 21843) by debbugs.gnu.org; 23 Nov 2016 20:21:19 +0000 Received: from localhost ([127.0.0.1]:39609 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9e2g-0003Zw-Me for submit@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:18 -0500 Received: from eggs.gnu.org ([208.118.235.92]:46627) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9e2f-0003Zi-2w for 21843@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9e2W-0002S5-TM for 21843@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:12 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60601) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9e2W-0002Rz-Pm; Wed, 23 Nov 2016 15:21:08 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:52960 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1c9e2W-0001wd-5r; Wed, 23 Nov 2016 15:21:08 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Christopher Baines Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots References: <87twozi0ql.fsf@gnu.org> <20160308192104.GA22722@solar> <20160308193309.GA2251@solar> <87y47ywyy4.fsf@gnu.org> <87vb2x8mac.fsf@gnu.org> <7778a48f-1d46-9fb6-dfa3-92e398f0bbeb@cbaines.net> Date: Wed, 23 Nov 2016 21:21:05 +0100 In-Reply-To: <7778a48f-1d46-9fb6-dfa3-92e398f0bbeb@cbaines.net> (Christopher Baines's message of "Wed, 26 Oct 2016 07:56:12 +0100") Message-ID: <877f7u6j7y.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -7.9 (-------) X-Debbugs-Envelope-To: 21843 Cc: 21843@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -7.9 (-------) Hello! (And apologies Christopher for not replying earlier!) I=E2=80=99m happy to report that this issue is finally fixed in f7f292d359e0eb77617f4ecf6b3164f868ec1784! The complete list of relevant commits is this: --8<---------------cut here---------------start------------->8--- f7f292d * install: Enable "cryptodisk" handling in GRUB. b7d408e * mapped-devices: Use 'cryptsetup-static' in 'luks-device-mapping'. fe93383 * marionette: Add 'marionette-screen-text' using OCR. f25c9eb * marionette: Delay synchronization with the host's REPL. [...] 106b389 * gnu: Add 'cryptsetup-static'. 01f94cc * gnu: Add 'lvm2-static'. 10da75d * gnu: grub: Add dependency on LVM2. --8<---------------cut here---------------end--------------->8--- Without LVM2 support, =E2=80=98grub-install=E2=80=99 and =E2=80=98grub-prob= e=E2=80=99 would fail to determine what to do with the LUKS-encrypted partition. When using =E2=80=98cryptsetup=E2=80=99 instead of =E2=80=98cryptsetup-stat= ic=E2=80=99, we were pulling the whole closure of =E2=80=98cryptsetup=E2=80=99 (105=C2=A0MiB) in the ini= trd, which was clearly unreasonable. ;-) The guts was to come up with a test strategy that would work. The difficulty here is that we have to enter a passphrase early one in GRUB, and then once again once the kernel has booted, when =E2=80=98cryptsetup=E2= =80=99 is invoked from the initrd. At this point, we have no good communication channel with the hosts, hence the screenshots with OCR! (Idea stolen from NixOS=E2=80=99 own tests.) You can run the test with: make check-system TESTS=3Dencrypted-root-os Further testing welcome! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 23 15:21:40 2016 Received: (at control) by debbugs.gnu.org; 23 Nov 2016 20:21:40 +0000 Received: from localhost ([127.0.0.1]:39612 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9e31-0003aW-UI for submit@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:40 -0500 Received: from eggs.gnu.org ([208.118.235.92]:46767) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9e30-0003aK-Ko for control@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9e2u-0002rs-SD for control@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:33 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60603) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9e2u-0002re-Oi for control@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:32 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:52962 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1c9e2u-0001yo-4k for control@debbugs.gnu.org; Wed, 23 Nov 2016 15:21:32 -0500 Date: Wed, 23 Nov 2016 21:21:30 +0100 Message-Id: <8760ne6j79.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #21843 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -7.9 (-------) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -7.9 (-------) tags 21843 fixed close 21843 From unknown Tue Aug 19 21:04:08 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 22 Dec 2016 12:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator