GNU bug report logs -
#25305
LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0
Previous Next
Reported by: ludo <at> gnu.org (Ludovic Courtès)
Date: Fri, 30 Dec 2016 23:53:01 UTC
Severity: normal
Tags: patch
Merged with 37851
Done: Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25305 in the body.
You can then email your comments to 25305 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Fri, 30 Dec 2016 23:53:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 30 Dec 2016 23:53:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello!
Eddie Baxter <pieceredd <at> gmail.com> skribis:
> I have attempted to install GuixSD on an encrypted root using LUKS, after
> reading the release notes for 0.12.0 that implies this should now work - My
> config.scm is linked:
>
> https://gist.github.com/AcouBass/3a1a6ab28c17830a175dc7da95eb18cd
>
> I don't get any errors on installation, nor upon doing a system
> reconfigure.
>
> At the moment I am still having to drop to a command prompt in Grub and use
> the commands:
>
> insmod luks
> cryptomount hd0,msdos2
The config has an unencrypted /boot and an encrypted root. What’s
tested and known-good is a configuration with an encrypted root that
contains /boot, like the one here:
https://www.gnu.org/software/guix/manual/html_node/Using-the-Configuration-System.html#index-encrypted-disk-1
It may be that this configuration is not correctly supported yet.
I’m Cc’ing bug-guix <at> gnu.org so we keep track of this issue.
> Which while it does work does mean I'm entering my passphrase twice
> (As well as having to drop to the Grub command line!)
The passphrase-twice issue seems hard to avoid: first GRUB needs to
access the partition, and then the kernel needs to access it.
If anyone is aware of ways to solve this, I’m all ears!
Thanks for your report!
Ludo’.
Merged 25305 37851.
Request was from
Miguel <rosen644835 <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Mon, 21 Oct 2019 15:08:02 GMT)
Full text and
rfc822 format available.
Added tag(s) patch.
Request was from
Miguel <rosen644835 <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Fri, 01 Nov 2019 12:13:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Mon, 26 Oct 2020 22:16:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 25305 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
Ludovic Courtès <ludo <at> gnu.org> writes:
> Does that cause GRUB to mount all the LUKS partitions it was aware of at
> installation time, or does it cause it to scan all the partitions in
> search of a LUKS signature?
>
> In the latter case that wouldn’t be great, but in the former case it
> sounds like we could go ahead (well, with a comment above explaining
> what this does. :-)).
Sorry for this huuuuuuuuuge delay, but I have this patch for this. It
includes a test case, even though I have been suffering a lot until I
noticed that OCR was returning garbage and I was trying to be too
specific, so I've left it as basic as I could.
I add Mathieu to the loop to bring more eyes over it, I'm open to any
suggestion. :-)
Happy hacking!
Miguel
PS: It should apply on top of master too, but I tested it on top of some
other grub.cfg fixes, I'll send a new version if there is any problem
with this.
[v3-0005-system-Allow-separated-boot-and-encrypted-root.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Wed, 28 Oct 2020 21:43:01 GMT)
Full text and
rfc822 format available.
Message #15 received at 25305 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
In this v2 I've fixed two flaws I saw in the previous patch: the
parameter store-crypto-devices now has the empty list as default value,
and now the function documents for the parameter too.
Happy hacking!
Miguel
[v4-0005-system-Allow-separated-boot-and-encrypted-root.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Mon, 16 Nov 2020 17:58:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 25305 <at> debbugs.gnu.org (full text, mbox):
We have now pretty good LUKS support, but I don't know if we support
this use case. I always have `/boot` encrypted as well...
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Wed, 18 Nov 2020 16:55:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 25305 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, 16 Nov 2020 18:56:56 +0100
Jonathan Brielmaier <jonathan.brielmaier <at> web.de> wrote:
> We have now pretty good LUKS support, but I don't know if we support
> this use case. I always have `/boot` encrypted as well...
Unencrypted /boot and encrypted / is necessary to be able to use Heads
(right now).
(It measures /boot in order to find out whether it has been tampered with or
not)
If you want to be able to boot on a Heads system, either Heads needs to be
modified to mount encrypted / , or there needs to be an unencrypted /boot.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Wed, 18 Nov 2020 17:48:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 25305 <at> debbugs.gnu.org (full text, mbox):
Hi,
Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
> (It measures /boot in order to find out whether it has been tampered with or
> not)
(Off-topic.) I’d be curious to see how much of this approach makes sense
in the context of immutable deployments like Guix does.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Mon, 14 Dec 2020 13:12:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 25305 <at> debbugs.gnu.org (full text, mbox):
Hi Miguel,
Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com> skribis:
>>From 52993db19da43699ea96ea16ebb051b9652934f9 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Miguel=20=C3=81ngel=20Arruga=20Vivas?=
> <rosen644835 <at> gmail.com>
> Date: Sun, 25 Oct 2020 16:31:17 +0100
> Subject: [PATCH v4 5/5] system: Allow separated /boot and encrypted root.
>
> * gnu/bootloader/grub.scm (grub-configuration-file): New parameter
> store-crypto-devices.
> [crypto-devices]: New helper function.
> [builder]: Use crypto-devices.
> * gnu/machine/ssh.scm (roll-back-managed-host): Use
> boot-parameters-store-crypto-devices to provide its contents to the
> bootloader configuration generation process.
> * gnu/tests/install.scm (%encrypted-root-not-boot-os,
> %encrypted-root-not-boot-os): New os declaration.
> (%encrypted-root-not-boot-installation-script): New script, whose contents
> were initially taken from %encrypted-root-installation-script.
> (%test-encrypted-root-not-boot-os): New test.
> * gnu/system.scm (define-module): Export
> operating-system-bootoader-crypto-devices and
> boot-parameters-store-crypto-devices.
> (<boot-parameters>): Add field store-crypto-devices.
> (read-boot-parameters): Parse store-crypto-devices field.
> [uuid-sexp->uuid]: New helper function extracted from
> device-sexp->device.
> (operating-system-bootloader-crypto-devices): New function.
> (operating-system-bootcfg): Use
> operating-system-bootloader-crypto-devices to provide its contents to
> the bootloader configuration generation process.
> (operating-system-boot-parameters): Add store-crypto-devices to the
> generated boot-parameters.
> (operating-system-boot-parameters-file): Likewise to the file with
> the serialized structure.
> * guix/scripts/system.scm (reinstall-bootloader): Use
> boot-parameters-store-crypto-devices to provide its contents to the
> bootloader configuration generation process.
> * tests/boot-parameters.scm (%default-store-crypto-devices): New
> variable.
> (%grub-boot-parameters, test-read-boot-parameters): Use
> %default-store-crypto-devices.
> (tests store-crypto-devices): New tests.
> ---
> gnu/bootloader/grub.scm | 21 +++++++-
> gnu/machine/ssh.scm | 3 ++
> gnu/system.scm | 57 ++++++++++++++++++++-
> gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++
> guix/scripts/system.scm | 2 +
> tests/boot-parameters.scm | 29 ++++++++++-
> 6 files changed, 210 insertions(+), 5 deletions(-)
Woohoo!
> --- a/gnu/bootloader/grub.scm
> +++ b/gnu/bootloader/grub.scm
> @@ -4,7 +4,7 @@
> ;;; Copyright © 2017 Leo Famulari <leo <at> famulari.name>
> ;;; Copyright © 2017, 2020 Mathieu Othacehe <m.othacehe <at> gmail.com>
> ;;; Copyright © 2019, 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
> -;;; Copyright © 2019 Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
> +;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
> ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
> ;;; Copyright © 2020 Stefan <stefan-guix <at> vodafonemail.de>
> ;;;
> @@ -360,11 +360,14 @@ code."
> (locale #f)
> (system (%current-system))
> (old-entries '())
> + (store-crypto-devices '())
> store-directory-prefix)
> "Return the GRUB configuration file corresponding to CONFIG, a
> <bootloader-configuration> object, and where the store is available at
> STORE-FS, a <file-system> object. OLD-ENTRIES is taken to be a list of menu
> entries corresponding to old generations of the system.
> +STORE-CRYPTO-DEVICES contain the UUIDs of the encrypted units that must
> +be unlocked to access the store contents.
> STORE-DIRECTORY-PREFIX may be used to specify a store prefix, as is required
> when booting a root file system on a Btrfs subvolume."
> (define all-entries
> @@ -412,6 +415,21 @@ menuentry ~s {
> (string-join (map string-join '#$modules)
> "\n module " 'prefix))))))
>
> + (define (crypto-devices)
> + (define (crypto-device->cryptomount dev)
> + (if (uuid? dev)
> + #~(format port "cryptomount -u ~a~%"
> + ;; cryptomount only accepts UUID without the hypen.
> + #$(string-delete #\- (uuid->string dev)))
> + ;; Other type of devices aren't implemented.
> + #~()))
> + (let ((devices (map crypto-device->cryptomount store-crypto-devices))
> + ;; XXX: Add luks2 when grub 2.06 is packaged.
> + (modules #~(format port "insmod luks~%")))
> + (if (null? devices)
> + devices
> + (cons modules devices))))
What I don’t get is why we’re able to use an encrypted root right now
without emitting “cryptomount” GRUB commands?
> + (store-crypto-devices
> + (match (assq 'store rest)
> + (('store . store-data)
> + (match (assq 'crypto-devices store-data)
> + (('crypto-devices devices)
> + (if (list? devices)
> + (map uuid-sexp->uuid devices)
> + (begin
> + (warning (G_ "unrecognized crypto-device ~S at '~a'~%")
> + devices (port-filename port))
> + '())))
You could avoid ‘if’ by having clauses like:
(('crypto-devices (devices ...))
;; …
)
(('crypto-devices _)
(warning …)
'())
(_
'())
> + (_
> + ;; No crypto-devices found
> + '())))
> + (_
> + ;; No store found, old format.
> + '())))
s/No store found/No crypto devices found/ ?
> +(define (operating-system-bootloader-crypto-devices os)
> + "Return the subset of mapped devices that the bootloader must open.
> +Only devices specified by uuid are supported."
> + (map mapped-device-source
> + (filter (match-lambda
> + ((and (= mapped-device-type type)
> + (= mapped-device-source source))
> + (and (eq? luks-device-mapping type)
> + (or (uuid? source)
> + (begin
> + (warning (G_ "\
> +mapped-device '~a' won't be mounted by the bootloader.~%")
> + source)
> + #f)))))
> + ;; XXX: Ordering is important, we trust the returned one.
> + (operating-system-boot-mapped-devices os))))
You can use ‘filter-map’ here.
The rest LGTM! Make sure the “installed-os” and “encrypted-root-os”
system tests are still fine, and if they are, I guess you can go ahead.
Thanks!
Ludo’.
Reply sent
to
Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>:
You have taken responsibility.
(Mon, 21 Dec 2020 20:24:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
ludo <at> gnu.org (Ludovic Courtès):
bug acknowledged by developer.
(Mon, 21 Dec 2020 20:24:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 25305-done <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
First of all, thanks for your review. :-)
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hi Miguel,
>
> Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com> skribis:
>> + (define (crypto-devices)
>> + (define (crypto-device->cryptomount dev)
>> + (if (uuid? dev)
>> + #~(format port "cryptomount -u ~a~%"
>> + ;; cryptomount only accepts UUID without the hypen.
>> + #$(string-delete #\- (uuid->string dev)))
>> + ;; Other type of devices aren't implemented.
>> + #~()))
>> + (let ((devices (map crypto-device->cryptomount store-crypto-devices))
>> + ;; XXX: Add luks2 when grub 2.06 is packaged.
>> + (modules #~(format port "insmod luks~%")))
>> + (if (null? devices)
>> + devices
>> + (cons modules devices))))
>
> What I don’t get is why we’re able to use an encrypted root right now
> without emitting “cryptomount” GRUB commands?
The grub boot process goes more or less like this:
1. Firmware loads the initial image.
1.1. If that image is not the final one, it contains a "pointer" to the
final one, which is loaded by it; this chain can be viewed as part
of the firmware loading for this purpose.
2. The image code reads an initial configuration file, which is usually
generated by grub-install/grub-mkstandalone. Here Grub is placing
the needed the cryptomount lines for the devices needed to mount
target in order to read grub.cfg and other modules.
3. grub.cfg is read (a.k.a. normal mode) and the usual boot process
follows.
The first configuration file is generated automatically by grub-install,
which physically scans the target location (still /boot in our case) and
inserts the needed insmod and cryptomount calls. When the target and
the store don't share the device, the calls leading to the store must be
inserted manually into grub.cfg.
It could be easier to remove completely /boot and use a directory from
the store, but that leads to more writes of the image, as each
reconfiguration involving a change on the devices used for the store
must end up returning a different store file name too. Nonetheless,
that would leave /boot untouched if anybody wants to install their
version of grub there for other purposes...
>> + (_
>> + ;; No crypto-devices found
>> + '())))
>> + (_
>> + ;; No store found, old format.
>> + '())))
>
> s/No store found/No crypto devices found/ ?
The first comment is reached when crypto-devices isn't found in a
(boot-parameters ... (store ...) ...) form. The second one is reached
when (boot-parameters ...) form doesn't even contain a tag store in it.
It follows the same pattern as store-device, as the old format didn't
have a store element.
On the other hand, I added a period to the first sentence as it was
missing. 0:)
>> +(define (operating-system-bootloader-crypto-devices os)
>> + "Return the subset of mapped devices that the bootloader must open.
>> +Only devices specified by uuid are supported."
>> + (map mapped-device-source
>> + (filter (match-lambda
>> + ((and (= mapped-device-type type)
>> + (= mapped-device-source source))
>> + (and (eq? luks-device-mapping type)
>> + (or (uuid? source)
>> + (begin
>> + (warning (G_ "\
>> +mapped-device '~a' won't be mounted by the bootloader.~%")
>> + source)
>> + #f)))))
>> + ;; XXX: Ordering is important, we trust the returned one.
>> + (operating-system-boot-mapped-devices os))))
>
> You can use ‘filter-map’ here.
Thanks for the pointer! I've modified a bit tests/boot-parameters.scm
to be extra-sure that I was doing that change OK, as I moved the or to a
internal function for readability too.
> The rest LGTM! Make sure the “installed-os” and “encrypted-root-os”
> system tests are still fine, and if they are, I guess you can go ahead.
Pushed to master as f00e68ace0 with these changes, after running the
tests and booting up my system.
Happy hacking!
Miguel
Reply sent
to
Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>:
You have taken responsibility.
(Mon, 21 Dec 2020 20:24:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Miguel Arruga Vivas <rosen644835 <at> gmail.com>:
bug acknowledged by developer.
(Mon, 21 Dec 2020 20:24:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#25305; Package
guix.
(Tue, 22 Dec 2020 13:42:01 GMT)
Full text and
rfc822 format available.
Message #40 received at 25305-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com> skribis:
> Pushed to master as f00e68ace0 with these changes, after running the
> tests and booting up my system.
Woohoo, thank you!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 20 Jan 2021 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 153 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.