From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 30 18:52:20 2016 Received: (at submit) by debbugs.gnu.org; 30 Dec 2016 23:52:20 +0000 Received: from localhost ([127.0.0.1]:60722 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cN6yC-0007tb-Cj for submit@debbugs.gnu.org; Fri, 30 Dec 2016 18:52:20 -0500 Received: from eggs.gnu.org ([208.118.235.92]:53438) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cN6yA-0007tO-Mv for submit@debbugs.gnu.org; Fri, 30 Dec 2016 18:52:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cN6y4-0001mJ-NK for submit@debbugs.gnu.org; Fri, 30 Dec 2016 18:52:13 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:53215) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cN6y4-0001m9-L0 for submit@debbugs.gnu.org; Fri, 30 Dec 2016 18:52:12 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44399) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cN6y3-0005TS-Ad for bug-guix@gnu.org; Fri, 30 Dec 2016 18:52:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cN6xz-0001iJ-E3 for bug-guix@gnu.org; Fri, 30 Dec 2016 18:52:11 -0500 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36454) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cN6xz-0001iD-AW; Fri, 30 Dec 2016 18:52:07 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:53790 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1cN6xy-0000Mu-Kk; Fri, 30 Dec 2016 18:52:07 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Eddie Baxter Subject: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0 References: X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 11 =?utf-8?Q?Niv=C3=B4se?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Sat, 31 Dec 2016 00:52:04 +0100 In-Reply-To: (Eddie Baxter's message of "Thu, 29 Dec 2016 23:37:10 +0000") Message-ID: <87inq16km3.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -8.2 (--------) X-Debbugs-Envelope-To: submit Cc: bug-guix@gnu.org, help-guix@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -8.2 (--------) Hello! Eddie Baxter skribis: > I have attempted to install GuixSD on an encrypted root using LUKS, after > reading the release notes for 0.12.0 that implies this should now work - = My > config.scm is linked: > > https://gist.github.com/AcouBass/3a1a6ab28c17830a175dc7da95eb18cd > > I don't get any errors on installation, nor upon doing a system > reconfigure. > > At the moment I am still having to drop to a command prompt in Grub and u= se > the commands: > > insmod luks > cryptomount hd0,msdos2 The config has an unencrypted /boot and an encrypted root. What=E2=80=99s tested and known-good is a configuration with an encrypted root that contains /boot, like the one here: https://www.gnu.org/software/guix/manual/html_node/Using-the-Configuratio= n-System.html#index-encrypted-disk-1 It may be that this configuration is not correctly supported yet. I=E2=80=99m Cc=E2=80=99ing bug-guix@gnu.org so we keep track of this issue. > Which while it does work does mean I'm entering my passphrase twice > (As well as having to drop to the Grub command line!) The passphrase-twice issue seems hard to avoid: first GRUB needs to access the partition, and then the kernel needs to access it. If anyone is aware of ways to solve this, I=E2=80=99m all ears! Thanks for your report! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 11:08:01 2019 Received: (at control) by debbugs.gnu.org; 21 Oct 2019 15:08:01 +0000 Received: from localhost ([127.0.0.1]:57633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMZHs-0000Rl-Rl for submit@debbugs.gnu.org; Mon, 21 Oct 2019 11:08:01 -0400 Received: from mail-wr1-f44.google.com ([209.85.221.44]:42275) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMZHr-0000RX-6E for control@debbugs.gnu.org; Mon, 21 Oct 2019 11:07:59 -0400 Received: by mail-wr1-f44.google.com with SMTP id r1so4616539wrs.9 for ; Mon, 21 Oct 2019 08:07:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:message-id:to:subject; bh=xlUTrPZPwJjfsSaBjZHlLjbtdEewg2WT1No9LzOYygk=; b=PDq7rpf9l7zhDVjEmfw6Nw5+46ZxWp7/Xsq/gnl18UqKOBshQhf4sk0emVs4e6q7T/ /zpwVutVFizNmSmzDjOvg4yUvFSnJ5XDO9jPHoI7RJypHZ2pIZUCWyhhrJ1yFbKIi/5Z Onqji92zIdg0hF2wnD9bkvQVkPeeo0WY4GEeqJLr+4jJ+/V4d031YHbbp/OaTVoM7wR3 PbnFSnKg7JQQDy1PxxKY2qy6szIKV6NdctQNUYEMM5TPHqmdgJiJRvIbmRzfmsEj/hJD bWGHiim0EpoL+OH8nC8BW6ZuzDEU9ycLsvFxXYb7y1hHvPnvX6y54hVBc277L0chog6g Leqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:message-id:to:subject; bh=xlUTrPZPwJjfsSaBjZHlLjbtdEewg2WT1No9LzOYygk=; b=ohslgRN8mEZooggcL426LL4SKa9jy/xmOT8q/f3qC0rGjULiT3eunQDKZUhw+m9GdL ozE1Wbfff9LhwAjOEZjnwMnfodDnIFS33g6mGrsnYGo0IDjQ68F8E2eHZMHQqK7FUm6x CGPPifwZ/FSAjoDVFcgY2UAxUvltuzOVHn9XviASz+rdxdFd80C5m400DX1nUxJkY/Gm 9pGmaUuqkkVVf98PLoaR3ue2o4atpv6k69Ic8Ij5xgU0h9Q6bZjzUZ1M+ddRRA9wHmPt +Pnm0FiX68kFvOKkttJn+zp+74MaOgCgcTa75sIgF/8VO0e+tiafZBCvb+/rn0JO5KC3 jIQA== X-Gm-Message-State: APjAAAVxI/365LZNWkZqTWtG/YaRbwS8Pi1nJaRPcwsFP5EeKMynxIJS +zV31yYa4ocS4TsIlgvWTGacG/ATszk= X-Google-Smtp-Source: APXvYqzQyIp6tzwrvACvGxIZ+Zj7FQ56YFbdPSoMwrVzSQExEHegkaqxAnA1C3VdXbx2HT6FcqDe1w== X-Received: by 2002:adf:f101:: with SMTP id r1mr2639328wro.320.1571670472773; Mon, 21 Oct 2019 08:07:52 -0700 (PDT) Received: from unfall (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id z125sm21398473wme.37.2019.10.21.08.07.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Oct 2019 08:07:52 -0700 (PDT) From: Miguel X-Google-Original-From: Miguel Date: Mon, 21 Oct 2019 17:07:43 +0200 Message-Id: <8736fmjfwg.fsf@unfall.i-did-not-set--mail-host-address--so-tickle-me> To: control@debbugs.gnu.org Subject: control message for bug #37851 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) merge 37851 25305 quit From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 01 08:12:09 2019 Received: (at control) by debbugs.gnu.org; 1 Nov 2019 12:12:09 +0000 Received: from localhost ([127.0.0.1]:55120 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQVmj-0007EK-BP for submit@debbugs.gnu.org; Fri, 01 Nov 2019 08:12:09 -0400 Received: from mail-wr1-f45.google.com ([209.85.221.45]:41098) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQVmh-0007Du-Ba for control@debbugs.gnu.org; Fri, 01 Nov 2019 08:12:08 -0400 Received: by mail-wr1-f45.google.com with SMTP id p4so9451884wrm.8 for ; Fri, 01 Nov 2019 05:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:message-id:to:subject; bh=pNOHL8t8yflwLF1apuqzmx2dAxbS3nE3UxuQllmArlE=; b=QQUyW/joOu4mxuMyYkUbHFSoWAmDFzw91vcOrrekAt1/ju2xyxwsvKh7BIKcTx9Hgs NZLNvqZofBxg+rjCK4Q7sFnvZE3jY6RGixJTqQzrqZ21DPc+rRS5RLjvBFy2NPBBGJtQ e3XrGXHIiZT9EaV9YxhZyhTjzK4okaxUlNeVALNmhp7oZOpuRBTXAQamGxBVESxzdE2d XCOEMAYKN2edu/2s4wAYpksH1v2T4QR7iMtc/10xxm3P1/yk0EOZYfAVZCBXK4z0QAbk sAr+XYWlMHXegQPpBdA07UM49gqstwD+Lum+7PpjsBExK72hecmNpc6QgskSSVaYm9Hh sljg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:message-id:to:subject; bh=pNOHL8t8yflwLF1apuqzmx2dAxbS3nE3UxuQllmArlE=; b=IN4rNZRkWFtLcrknZJybQR+dBgBcSYKarrEF6JHLXelAudVegKC2GOj64PEPVFVLlo +/im7GhE9FE2Hx+7nAo4iI1CvOpYjMn6pOxayoNCduRVNSiJjd2dNAGSZoFci6Kpx+H3 VfaVsUZsk/w1TlROU6bDBkIkDCsSo96myqR0+xzNMH0obh6PEA79K/9ldVa63N8VQei8 4KCgl6+BrUjNF9Jpe9+trNnKWNNDBz/p2/vMEkg8YikBNtcLhHHnWPTmvfwIWh99PLU4 Mdw3Kg5yY8q0NzZR1MhRcVE7izNKa84c4s0Y6aiIB7cBwCxrHZa5vzGg9OTHe+wV4TUy Bi8g== X-Gm-Message-State: APjAAAUCk9RxfCuH6rlr9XSuQzGwDocwCrA7kkNVSB3ooB/zzOoMVHZv JOXNxVqg/yRpp4hMbvsEV4kKkfpUrvo= X-Google-Smtp-Source: APXvYqy4xBd7siSzyvlel1IczWN5J/VVKbcF5Lg8JGVKU2c609S0Tjpapyt1etmXWZa0WMG6RBuUHA== X-Received: by 2002:adf:dc03:: with SMTP id t3mr9833029wri.95.1572610321037; Fri, 01 Nov 2019 05:12:01 -0700 (PDT) Received: from unfall (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id g14sm7622858wro.33.2019.11.01.05.12.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Nov 2019 05:12:00 -0700 (PDT) From: Miguel X-Google-Original-From: Miguel Date: Fri, 01 Nov 2019 13:11:52 +0100 Message-Id: <877e4jiynr.fsf@unfall.i-did-not-set--mail-host-address--so-tickle-me> To: control@debbugs.gnu.org Subject: control message for bug #37851 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) tags 37851 + patch quit From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 26 18:15:26 2020 Received: (at 25305) by debbugs.gnu.org; 26 Oct 2020 22:15:26 +0000 Received: from localhost ([127.0.0.1]:41833 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXAlx-00088a-4b for submit@debbugs.gnu.org; Mon, 26 Oct 2020 18:15:26 -0400 Received: from mail-wr1-f41.google.com ([209.85.221.41]:45608) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXAlp-000888-NR; Mon, 26 Oct 2020 18:15:18 -0400 Received: by mail-wr1-f41.google.com with SMTP id e17so14659944wru.12; Mon, 26 Oct 2020 15:15:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=mUmAsr0mMABP0NVnSfWiRbH4VO1Qwi+gKL2SpgvVv78=; b=IuQcUZY52wcFnMQ5XJ0sorFY/XGOejAMPJqBz/DH4yTb1UJL28iUHGefK5fh3oxEJM WfNwGaFNoGrlFIM3Od9c41JsrENgAb0LOOsnvuFNmi1xcugwXtvZe5/0dAvwmLvlwLX8 s3idlFvizGvfyUfAgqoAUCGfV/a+an7VFhJSrYsOe6q+5+4AyU9pDSwYCkxGuIX8fHAF 8/8y90e3YVaDUoB0dAuvJm67vw4u4AuTX1z5FIFJGAmBiIhZdIPBKLBFk4ozTYlzq2YC gewcheR8eh4CTAGC5IDG/9KVL9/DyYafD5SWYiQ6DSTwwZALVsTEsMIVuTCLLGEDDdNM dD8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=mUmAsr0mMABP0NVnSfWiRbH4VO1Qwi+gKL2SpgvVv78=; b=YS+5NsQHk5Xy6dmjOwLEfvz2U13Qw1764xBcD6JQ2zHLQIEe7hrb/HIwHvFPesowIj 3RYr6vffo0NPy+r7xu2JK2L4za9gtfgf+693DCIZajbrnr/m/oHTYuLGfQevX+jDdIOM dISihLNfarJ3I8bmdgTqYEsQTeFDMRIGJPF83R7OtQZfgVKxf1PMVbPeoM3AjN5trMnX VSX1RMk3gK7r90fhk9h6BEbVLqC5/IPcMQTvWDHz6OSu3lrFl7d8Ytb2htwL6PiLdPjq SAq1HHEWrDFlSwW08SNuUX3ZbAYWvcEbP1BFYXBHQT1ZsUWeiJdKVQ1lwvzvVBd8hjlj kU0g== X-Gm-Message-State: AOAM532QuiSqvTi5V7+k50rKe9gsoWg8VwrA7XTay50r/RmapmbwcdJQ /ld/y/3YQOWccEC4/czWp/qT73pRchP9Xg== X-Google-Smtp-Source: ABdhPJyDbrFKe9ARjMAtIk3+YGyA3EdmOc4JeHpVPeTW67yCdt+VnDdAy5riiUwNa7VWw0A4v76l/g== X-Received: by 2002:a5d:4fcc:: with SMTP id h12mr21094567wrw.132.1603750511780; Mon, 26 Oct 2020 15:15:11 -0700 (PDT) Received: from unfall (218.139.134.37.dynamic.jazztel.es. [37.134.139.218]) by smtp.gmail.com with ESMTPSA id a15sm23373494wro.3.2020.10.26.15.15.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Oct 2020 15:15:10 -0700 (PDT) From: =?utf-8?Q?Miguel_=C3=81ngel_Arruga_Vivas?= To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Mathieu Othacehe Subject: Re: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> Date: Mon, 26 Oct 2020 23:15:03 +0100 In-Reply-To: <87lftc27j2.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 22 Oct 2019 16:12:49 +0200") Message-ID: <87r1pkocrc.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 25305 Cc: 25305@debbugs.gnu.org, 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Ludovic Court=C3=A8s writes: > Does that cause GRUB to mount all the LUKS partitions it was aware of at > installation time, or does it cause it to scan all the partitions in > search of a LUKS signature? > > In the latter case that wouldn=E2=80=99t be great, but in the former case= it > sounds like we could go ahead (well, with a comment above explaining > what this does. :-)). Sorry for this huuuuuuuuuge delay, but I have this patch for this. It includes a test case, even though I have been suffering a lot until I noticed that OCR was returning garbage and I was trying to be too specific, so I've left it as basic as I could. I add Mathieu to the loop to bring more eyes over it, I'm open to any suggestion. :-) Happy hacking! Miguel PS: It should apply on top of master too, but I tested it on top of some other grub.cfg fixes, I'll send a new version if there is any problem with this. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=v3-0005-system-Allow-separated-boot-and-encrypted-root.patch Content-Transfer-Encoding: quoted-printable Content-Description: 0001-system-Allow-separated-boot-and-encrypted-root.patch From=20d40f0a26afef194e7e68906ba793ca0ffac6da5f Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D Date: Sun, 25 Oct 2020 16:31:17 +0100 Subject: [PATCH v3 5/5] system: Allow separated /boot and encrypted root. * gnu/bootloader/grub.scm (grub-configuration-file): New parameter store-crypto-devices. [crypto-devices]: New helper function. [builder]: Use crypto-devices. * gnu/machine/ssh.scm (roll-back-managed-host): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * gnu/tests/install.scm (%encrypted-root-not-boot-os, %encrypted-root-not-boot-os): New os declaration. (%encrypted-root-not-boot-installation-script): New script, whose contents were initially taken from %encrypted-root-installation-script. (%test-encrypted-root-not-boot-os): New test. * gnu/system.scm (define-module): Export operating-system-bootoader-crypto-devices and boot-parameters-store-crypto-devices. (): Add field store-crypto-devices. (read-boot-parameters): Parse store-crypto-devices field. [uuid-sexp->uuid]: New helper function extracted from device-sexp->device. (operating-system-bootloader-crypto-devices): New function. (operating-system-bootcfg): Use operating-system-bootloader-crypto-devices to provide its contents to the bootloader configuration generation process. (operating-system-boot-parameters): Add store-crypto-devices to the generated boot-parameters. (operating-system-boot-parameters-file): Likewise to the file with the serialized structure. * guix/scripts/system.scm (reinstall-bootloader): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * tests/boot-parameters.scm (%default-store-crypto-devices): New variable. (%grub-boot-parameters, test-read-boot-parameters): Use %default-store-crypto-devices. (tests store-crypto-devices): New tests. =2D-- gnu/bootloader/grub.scm | 19 ++++++- gnu/machine/ssh.scm | 3 ++ gnu/system.scm | 57 ++++++++++++++++++++- gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ guix/scripts/system.scm | 2 + tests/boot-parameters.scm | 29 ++++++++++- 6 files changed, 208 insertions(+), 5 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 8636e9c690..c6e7d3fd6d 100644 =2D-- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -4,7 +4,7 @@ ;;; Copyright =C2=A9 2017 Leo Famulari ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen =2D;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Maxim Cournoyer ;;; Copyright =C2=A9 2020 Stefan ;;; @@ -361,6 +361,7 @@ code." (locale #f) (system (%current-system)) (old-entries '()) + store-crypto-devices store-directory-prefix) "Return the GRUB configuration file corresponding to CONFIG, a object, and where the store is available at @@ -413,6 +414,21 @@ menuentry ~s { (string-join (map string-join '#$modules) "\n module " 'prefix)))))) =20 + (define (crypto-devices) + (define (crypto-device->cryptomount dev) + (if (uuid? dev) + #~(format port "cryptomount -u ~a~%" + ;; cryptomount only accepts UUID without the hypen. + #$(string-delete #\- (uuid->string dev))) + ;; Other type of devices aren't implemented. + #~())) + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) + ;; XXX: Add luks2 when grub 2.06 is packaged. + (modules #~(format port "insmod luks~%"))) + (if (null? devices) + devices + (cons modules devices)))) + (define (sugar) (let* ((entry (first all-entries)) (device (menu-entry-device entry)) @@ -469,6 +485,7 @@ keymap ~a~%" #$keymap)))) "# This file was generated from your Guix configuration.= Any changes # will be lost upon reconfiguration. ") + #$@(crypto-devices) #$(sugar) #$locale-config #$keyboard-layout-config diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm index a3a12fb54b..822f401c1a 100644 =2D-- a/gnu/machine/ssh.scm +++ b/gnu/machine/ssh.scm @@ -482,6 +482,8 @@ an environment type of 'managed-host." (list (second boot-parameters)))) (locale -> (boot-parameters-locale (second boot-parameters))) + (crypto-dev -> (boot-parameters-store-crypto-devices + (second boot-parameters))) (store-dir -> (boot-parameters-store-directory-pref= ix (second boot-parameters))) (old-entries -> (map boot-parameters->menu-entry @@ -494,6 +496,7 @@ an environment type of 'managed-host." bootloader)) bootloader entries #:locale locale + #:store-crypto-devices crypto-dev #:store-directory-prefix store-dir #:old-entries old-entries))) (remote-result (machine-remote-eval machine remote-= exp))) diff --git a/gnu/system.scm b/gnu/system.scm index 30a5c418d0..3a718642cf 100644 =2D-- a/gnu/system.scm +++ b/gnu/system.scm @@ -5,7 +5,7 @@ ;;; Copyright =C2=A9 2016 Chris Marusich ;;; Copyright =C2=A9 2017 Mathieu Othacehe ;;; Copyright =C2=A9 2019 Meiyo Peng =2D;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Danny Milosavljevic ;;; Copyright =C2=A9 2020 Brice Waegeneire ;;; Copyright =C2=A9 2020 Florian Pelz @@ -112,6 +112,7 @@ operating-system-store-file-system operating-system-user-mapped-devices operating-system-boot-mapped-devices + operating-system-bootloader-crypto-devices operating-system-activation-script operating-system-user-accounts operating-system-shepherd-service-names @@ -147,6 +148,7 @@ boot-parameters-root-device boot-parameters-bootloader-name boot-parameters-bootloader-menu-entries + boot-parameters-store-crypto-devices boot-parameters-store-device boot-parameters-store-directory-prefix boot-parameters-store-mount-point @@ -301,6 +303,8 @@ directly by the user." (store-device boot-parameters-store-device) (store-mount-point boot-parameters-store-mount-point) (store-directory-prefix boot-parameters-store-directory-prefix) + (store-crypto-devices boot-parameters-store-crypto-devices + (default '())) (locale boot-parameters-locale) (kernel boot-parameters-kernel) (kernel-arguments boot-parameters-kernel-arguments) @@ -334,6 +338,13 @@ file system labels." (if (string-prefix? "/" device) device (file-system-label device)))))) + (define uuid-sexp->uuid + (match-lambda + (('uuid (? symbol? type) (? bytevector? bv)) + (bytevector->uuid bv type)) + (x + (warning (G_ "unrecognized uuid ~a at '~a'~%") x (port-filename por= t)) + #f))) =20 (match (read port) (('boot-parameters ('version 0) @@ -407,6 +418,24 @@ file system labels." ;; No store found, old format. #f))) =20 + (store-crypto-devices + (match (assq 'store rest) + (('store . store-data) + (match (assq 'crypto-devices store-data) + (('crypto-devices devices) + (if (list? devices) + (map uuid-sexp->uuid devices) + (begin + (warning (G_ "unrecognized crypto-device ~S at '~a'~%") + devices (port-filename port)) + '()))) + (_ + ;; No crypto-devices found + '()))) + (_ + ;; No store found, old format. + '()))) + (store-mount-point (match (assq 'store rest) (('store ('device _) ('mount-point mount-point) _ ...) @@ -520,6 +549,23 @@ from the initrd." (any file-system-needed-for-boot? users))) devices))) =20 +(define (operating-system-bootloader-crypto-devices os) + "Return the subset of mapped devices that the bootloader must open. +Only devices specified by uuid are supported." + (map mapped-device-source + (filter (match-lambda + ((and (=3D mapped-device-type type) + (=3D mapped-device-source source)) + (and (eq? luks-device-mapping type) + (or (uuid? source) + (begin + (warning (G_ "\ +mapped-device '~a' won't be mounted by the bootloader.~%") + source) + #f))))) + ;; XXX: Ordering is important, we trust the returned one. + (operating-system-boot-mapped-devices os)))) + (define (device-mapping-services os) "Return the list of device-mapping services for OS as a list." (map device-mapping-service @@ -1256,6 +1302,7 @@ a list of , to populate the \"old entries= \" menu." (root-fs (operating-system-root-file-system os)) (root-device (file-system-device root-fs)) (locale (operating-system-locale os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (params (operating-system-boot-parameters os root-device #:system-kernel-arguments? #t)) @@ -1269,6 +1316,7 @@ a list of , to populate the \"old entries= \" menu." (generate-config-file bootloader-conf (list entry) #:old-entries old-entries #:locale locale + #:store-crypto-devices crypto-devices #:store-directory-prefix (btrfs-store-subvolume-file-name file-systems)))) =20 @@ -1308,6 +1356,7 @@ such as '--root' and '--load' to ." (operating-system-initrd-file os))) (store (operating-system-store-file-system os)) (file-systems (operating-system-file-systems os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (locale (operating-system-locale os)) (bootloader (bootloader-configuration-bootloader (operating-system-bootloader os))) @@ -1330,6 +1379,7 @@ such as '--root' and '--load' to ." (locale locale) (store-device (ensure-not-/dev (file-system-device store))) (store-directory-prefix (btrfs-store-subvolume-file-name file-systems= )) + (store-crypto-devices crypto-devices) (store-mount-point (file-system-mount-point store))))) =20 (define (device->sexp device) @@ -1388,7 +1438,10 @@ being stored into the \"parameters\" file)." (mount-point #$(boot-parameters-store-mount-point params)) (directory-prefix =2D #$(boot-parameters-store-directory-prefix params)= ))) + #$(boot-parameters-store-directory-prefix params)) + (crypto-devices + #$(map device->sexp + (boot-parameters-store-crypto-devices params= ))))) #:set-load-path? #f))) =20 (define-gexp-compiler (operating-system-compiler (os ) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 86bd93966b..8f1668bab2 100644 =2D-- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -63,6 +63,8 @@ %test-separate-home-os %test-raid-root-os %test-encrypted-root-os + %test-encrypted-root-not-boot-os + %test-encrypted-root-and-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os %test-jfs-root-os @@ -796,6 +798,107 @@ build (current-guix) and then store a couple of full = system images.") (run-basic-test %encrypted-root-os command "encrypted-root-os" #:initialization enter-luks-passphrase))))) =20 + +;;; +;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. +;;; + +(define-os-with-source (%encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source) + ;; The OS we want to install. + (use-modules (gnu) (gnu tests) (srfi srfi-1)) + + (operating-system + (host-name "bootroot") + (timezone "Europe/Madrid") + (locale "en_US.UTF-8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vdb"))) + + (mapped-devices (list (mapped-device + (source + (uuid "12345678-1234-1234-1234-123456789abc")) + (target "root") + (type luks-device-mapping)))) + (file-systems (cons* (file-system + (device (file-system-label "my-boot")) + (mount-point "/boot") + (type "ext4")) + (file-system + (device "/dev/mapper/root") + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (users (cons (user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" "audio" "video"))) + %base-user-accounts)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %encrypted-root-not-boot-installation-script + ;; Shell script for an installation with boot not encrypted but root + ;; encrypted. + (format #f "\ +. /etc/profile +set -e -x +guix --version + +export GUIX_BUILD_OPTIONS=3D--no-grafts +ls -l /run/current-system/gc-roots +parted --script /dev/vdb mklabel gpt \\ + mkpart primary ext2 1M 3M \\ + mkpart primary ext2 3M 50M \\ + mkpart primary ext2 50M 1.6G \\ + set 1 boot on \\ + set 1 bios_grub on +echo -n \"~a\" | cryptsetup luksFormat --uuid=3D\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root +mkfs.ext4 -L my-root /dev/mapper/root +mkfs.ext4 -L my-boot /dev/vdb2 +mount LABEL=3Dmy-root /mnt +mkdir /mnt/boot +mount LABEL=3Dmy-boot /mnt/boot +echo \"Checking mounts\" +mount +herd start cow-store /mnt +mkdir /mnt/etc +cp /etc/target-config.scm /mnt/etc/config.scm +guix system build /mnt/etc/config.scm +guix system init /mnt/etc/config.scm /mnt --no-substitutes +sync +echo \"Debugging info\" +blkid +cat /mnt/boot/grub/grub.cfg +reboot\n" + %luks-passphrase "12345678-1234-1234-1234-123456789abc" + %luks-passphrase)) + +(define %test-encrypted-root-not-boot-os + (system-test + (name "encrypted-root-not-boot-os") + (description + "Test the manual installation on an OS with / in an encrypted partition +but /boot on a different, non-encrypted partition. This test is expensive= in +terms of CPU and storage usage since we need to build (current-guix) and t= hen +store a couple of full system images.") + (value + (mlet* %store-monad + ((image (run-install %encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source + #:script + %encrypted-root-not-boot-installation-script)) + (command (qemu-command/writable-image image))) + (run-basic-test %encrypted-root-not-boot-os command + "encrypted-root-not-boot-os" + #:initialization enter-luks-passphrase))))) + ;;; ;;; Btrfs root file system. diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index ad998156c2..02cf2a12a2 100644 =2D-- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -385,6 +385,7 @@ STORE is an open connection to the store." (params (first (profile-boot-parameters %system-profile (list number)))) (locale (boot-parameters-locale params)) + (store-crypto-devices (boot-parameters-store-crypto-devices param= s)) (store-directory-prefix (boot-parameters-store-directory-prefix params)) (old-generations @@ -400,6 +401,7 @@ STORE is an open connection to the store." ((bootloader-configuration-file-generator bootloader) bootloader-config entries #:locale locale + #:store-crypto-devices store-crypto-devices #:store-directory-prefix store-directory-prefix #:old-entries old-entries))) (drvs -> (list bootcfg))) diff --git a/tests/boot-parameters.scm b/tests/boot-parameters.scm index a00b227551..c26ac83b7b 100644 =2D-- a/tests/boot-parameters.scm +++ b/tests/boot-parameters.scm @@ -50,6 +50,8 @@ (define %default-store-directory-prefix (string-append "/" %default-btrfs-subvolume)) (define %default-store-mount-point (%store-prefix)) +(define %default-store-crypto-devices + (list (uuid "00000000-1111-2222-3333-444444444444"))) (define %default-multiboot-modules '()) (define %default-locale "es_ES.utf8") (define %root-path "/") @@ -67,6 +69,7 @@ (locale %default-locale) (store-device %default-store-device) (store-directory-prefix %default-store-directory-prefix) + (store-crypto-devices %default-store-crypto-devices) (store-mount-point %default-store-mount-point))) =20 (define %default-operating-system @@ -110,6 +113,8 @@ (with-store #t) (store-device (quote-uuid %default-store-device)) + (store-crypto-devices + (map quote-uuid %default-store-crypto-devices)) (store-directory-prefix %default-store-directory-prefix) (store-mount-point %default-store-mount-point)) (define (generate-boot-parameters) @@ -125,12 +130,14 @@ (sexp-or-nothing " (kernel-arguments ~S)" kernel-arguments) (sexp-or-nothing " (initrd ~S)" initrd) (if with-store =2D (format #false " (store~a~a~a)" + (format #false " (store~a~a~a~a)" (sexp-or-nothing " (device ~S)" store-device) (sexp-or-nothing " (mount-point ~S)" store-mount-point) (sexp-or-nothing " (directory-prefix ~S)" =2D store-directory-prefix)) + store-directory-prefix) + (sexp-or-nothing " (crypto-devices ~S)" + store-crypto-devices)) "") (sexp-or-nothing " (locale ~S)" locale) (sexp-or-nothing " (bootloader-name ~a)" bootloader-name) @@ -159,6 +166,7 @@ (test-read-boot-parameters #:store-device #false) (test-read-boot-parameters #:store-device 'false) (test-read-boot-parameters #:store-mount-point #false) + (test-read-boot-parameters #:store-crypto-devices #false) (test-read-boot-parameters #:store-directory-prefix #false) (test-read-boot-parameters #:multiboot-modules #false) (test-read-boot-parameters #:locale #false) @@ -254,6 +262,23 @@ (boot-parameters-store-mount-point (test-read-boot-parameters #:with-store #false))) =20 +(test-equal "read, store-crypto-devices, default" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices #false))) + +;; XXX: +(test-equal "read, store-crypto-devices, false" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices 'false))) + +;; XXX: +(test-equal "read, store-crypto-devices, string" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices "bad"))) + ;; For whitebox testing (define operating-system-boot-parameters (@@ (gnu system) operating-system-boot-parameters)) =2D-=20 2.28.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEiIeExBRZrMuD5+hMY0xuiXn6vsIFAl+XSmgACgkQY0xuiXn6 vsIcgwwAp0YDr07LjQ18+N7PGH2bgqNRSIDXPeEGknfjrPu2naRdXhGeB97JNRkD JGO9jp50e4aiRbxjL+Zjw2VDIsKoSTH73rNwSgPTDKHbaadDOhF2LypR8NpnRdGP HB4o0uIeb09eXpqYxuFA4586nO4q151DxA528G9v+3AePDGUhuc2EgOhp8Rl8Bec T8twYFomXrIF8uBguycXsyTvFEVSBdZFIaLds7wK8N64Cm29Erl8MIc3seL7KS3Y fdLxTgCUF4FRGN+EHNFYzfa/nm86RGLin1AS+ZLmwZL20mV4KJmEfP+mOwSWuKHy x2eHczFDos+N7Po/2Ei6xx/RYEuE/QaTYqbOGtoKKWxnO0d+9qeePOqnf0n9u1C7 rn6iEPSwvtlPmo0NLEaDcuDd3/3c5EFjLEhWg7YgEq0Ea3XsiGpo3qvNLeRM3J0Y VnOrSh0UkHdi60dFXKKvMyYlVeyR5qZrH7Oryy7Cx44auGiibhucxwA3SZRNaWUm rvVOLi57 =/zYW -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 28 17:42:40 2020 Received: (at 25305) by debbugs.gnu.org; 28 Oct 2020 21:42:40 +0000 Received: from localhost ([127.0.0.1]:50962 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXtDL-0001vA-Np for submit@debbugs.gnu.org; Wed, 28 Oct 2020 17:42:40 -0400 Received: from mail-wm1-f50.google.com ([209.85.128.50]:33494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXtDD-0001uc-6q; Wed, 28 Oct 2020 17:42:32 -0400 Received: by mail-wm1-f50.google.com with SMTP id l20so602515wme.0; Wed, 28 Oct 2020 14:42:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=3LBHOtT4urj2URf+oxObRUmOF+inqmhpE/CBfVCRMTM=; b=iA6KVZYKbAFUu9pJqKWIXwFONU63x3neP2hsvg1zh/ygP1klt89DbSadsOtma6tXR8 AM4b/ss5tAZQ1ratRWFO7OxFFOLfRdbrWBiCVl65zniiDY2JjvIpaM6+DFlwJRbnP7ee MiyCFf2MIwugnOIx3JpruJ+KM/sAruGY8ZvvR8u3k6sWdWlhV4A1eAXBhO5nP68yfaVk KWQ4/U4QxOaw5vuacxxF0GbwCg+zlr/hpA1egtA7++aXqitnDAhG/9yjq6Xfidglif3b pjPvCj8brvqbcbZSSLFtMIvsd1h8F95xq412Tphk16AARKHcI8W0GzCeWXRbPt2jS+Wj W+Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=3LBHOtT4urj2URf+oxObRUmOF+inqmhpE/CBfVCRMTM=; b=QHTgZ6j6YEU3qe4n8A1H/fVQWND8nsgGXRU2JSd/j2n9DQe6oCq62s7qMC5mq4BezH R5fOM7ksPyPZT04cq+s2yptcqirxyREcThUg5ykpisoG1Eu5qHP7D5JNEYTKxsxrnE6Z USBobe7m4W+M+9bq2GK3jBJpJwShhV7HXhAZskGSvIFyZhPumjMobdDbfHA+TMuvMAa8 myFUptOohB4mWYiPfrEQbf0y/KlOgTqsA5MkEcZB34PjUR0mLob8fEcj/ImjTiB5p2NW ca3vuPsUaG+0ge+I+4+4N+rpqBftnEH25/UiB1WjMsuEBoWZj1tZp7h1f2eG1l5pVeRk HQ7w== X-Gm-Message-State: AOAM530hnS8/MACNAh97vQ8xVzh/9vXmg63lkS+sqndLYHnIc6FEL3AO hNaubQfINRNdXKtj2VUcosYaHdve8kblww== X-Google-Smtp-Source: ABdhPJyP5qD3U3geq88AJ+cVHm1O2D4zpWh2oKTOzVW8N87lDcCfEYnK/DZp2MoWgYlUj6dg5uca6g== X-Received: by 2002:a05:600c:2888:: with SMTP id g8mr881301wmd.130.1603921341992; Wed, 28 Oct 2020 14:42:21 -0700 (PDT) Received: from unfall (218.139.134.37.dynamic.jazztel.es. [37.134.139.218]) by smtp.gmail.com with ESMTPSA id z4sm1228199wrg.53.2020.10.28.14.42.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Oct 2020 14:42:20 -0700 (PDT) From: =?utf-8?Q?Miguel_=C3=81ngel_Arruga_Vivas?= To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> Date: Wed, 28 Oct 2020 22:42:19 +0100 In-Reply-To: <87r1pkocrc.fsf@gmail.com> ("Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Mon, 26 Oct 2020 23:15:03 +0100") Message-ID: <87ft5ym3ic.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 25305 Cc: 25305@debbugs.gnu.org, Mathieu Othacehe , 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) --=-=-= Content-Type: text/plain In this v2 I've fixed two flaws I saw in the previous patch: the parameter store-crypto-devices now has the empty list as default value, and now the function documents for the parameter too. Happy hacking! Miguel --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=v4-0005-system-Allow-separated-boot-and-encrypted-root.patch Content-Transfer-Encoding: quoted-printable Content-Description: 0001-system-Allow-separated-/boot-and-encrypted-root.patch >From 52993db19da43699ea96ea16ebb051b9652934f9 Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D Date: Sun, 25 Oct 2020 16:31:17 +0100 Subject: [PATCH v4 5/5] system: Allow separated /boot and encrypted root. * gnu/bootloader/grub.scm (grub-configuration-file): New parameter store-crypto-devices. [crypto-devices]: New helper function. [builder]: Use crypto-devices. * gnu/machine/ssh.scm (roll-back-managed-host): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * gnu/tests/install.scm (%encrypted-root-not-boot-os, %encrypted-root-not-boot-os): New os declaration. (%encrypted-root-not-boot-installation-script): New script, whose contents were initially taken from %encrypted-root-installation-script. (%test-encrypted-root-not-boot-os): New test. * gnu/system.scm (define-module): Export operating-system-bootoader-crypto-devices and boot-parameters-store-crypto-devices. (): Add field store-crypto-devices. (read-boot-parameters): Parse store-crypto-devices field. [uuid-sexp->uuid]: New helper function extracted from device-sexp->device. (operating-system-bootloader-crypto-devices): New function. (operating-system-bootcfg): Use operating-system-bootloader-crypto-devices to provide its contents to the bootloader configuration generation process. (operating-system-boot-parameters): Add store-crypto-devices to the generated boot-parameters. (operating-system-boot-parameters-file): Likewise to the file with the serialized structure. * guix/scripts/system.scm (reinstall-bootloader): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * tests/boot-parameters.scm (%default-store-crypto-devices): New variable. (%grub-boot-parameters, test-read-boot-parameters): Use %default-store-crypto-devices. (tests store-crypto-devices): New tests. --- gnu/bootloader/grub.scm | 21 +++++++- gnu/machine/ssh.scm | 3 ++ gnu/system.scm | 57 ++++++++++++++++++++- gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ guix/scripts/system.scm | 2 + tests/boot-parameters.scm | 29 ++++++++++- 6 files changed, 210 insertions(+), 5 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index e5fc3470a9..40ea4fbaf7 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -4,7 +4,7 @@ ;;; Copyright =C2=A9 2017 Leo Famulari ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Maxim Cournoyer ;;; Copyright =C2=A9 2020 Stefan ;;; @@ -360,11 +360,14 @@ code." (locale #f) (system (%current-system)) (old-entries '()) + (store-crypto-devices '()) store-directory-prefix) "Return the GRUB configuration file corresponding to CONFIG, a object, and where the store is available at STORE-FS, a object. OLD-ENTRIES is taken to be a list of me= nu entries corresponding to old generations of the system. +STORE-CRYPTO-DEVICES contain the UUIDs of the encrypted units that must +be unlocked to access the store contents. STORE-DIRECTORY-PREFIX may be used to specify a store prefix, as is requir= ed when booting a root file system on a Btrfs subvolume." (define all-entries @@ -412,6 +415,21 @@ menuentry ~s { (string-join (map string-join '#$modules) "\n module " 'prefix)))))) =20 + (define (crypto-devices) + (define (crypto-device->cryptomount dev) + (if (uuid? dev) + #~(format port "cryptomount -u ~a~%" + ;; cryptomount only accepts UUID without the hypen. + #$(string-delete #\- (uuid->string dev))) + ;; Other type of devices aren't implemented. + #~())) + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) + ;; XXX: Add luks2 when grub 2.06 is packaged. + (modules #~(format port "insmod luks~%"))) + (if (null? devices) + devices + (cons modules devices)))) + (define (sugar) (let* ((entry (first all-entries)) (device (menu-entry-device entry)) @@ -468,6 +486,7 @@ keymap ~a~%" #$keymap)))) "# This file was generated from your Guix configuration.= Any changes # will be lost upon reconfiguration. ") + #$@(crypto-devices) #$(sugar) #$locale-config #$keyboard-layout-config diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm index a3a12fb54b..822f401c1a 100644 --- a/gnu/machine/ssh.scm +++ b/gnu/machine/ssh.scm @@ -482,6 +482,8 @@ an environment type of 'managed-host." (list (second boot-parameters)))) (locale -> (boot-parameters-locale (second boot-parameters))) + (crypto-dev -> (boot-parameters-store-crypto-devices + (second boot-parameters))) (store-dir -> (boot-parameters-store-directory-pref= ix (second boot-parameters))) (old-entries -> (map boot-parameters->menu-entry @@ -494,6 +496,7 @@ an environment type of 'managed-host." bootloader)) bootloader entries #:locale locale + #:store-crypto-devices crypto-dev #:store-directory-prefix store-dir #:old-entries old-entries))) (remote-result (machine-remote-eval machine remote-= exp))) diff --git a/gnu/system.scm b/gnu/system.scm index 30a5c418d0..3a718642cf 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -5,7 +5,7 @@ ;;; Copyright =C2=A9 2016 Chris Marusich ;;; Copyright =C2=A9 2017 Mathieu Othacehe ;;; Copyright =C2=A9 2019 Meiyo Peng -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Danny Milosavljevic ;;; Copyright =C2=A9 2020 Brice Waegeneire ;;; Copyright =C2=A9 2020 Florian Pelz @@ -112,6 +112,7 @@ operating-system-store-file-system operating-system-user-mapped-devices operating-system-boot-mapped-devices + operating-system-bootloader-crypto-devices operating-system-activation-script operating-system-user-accounts operating-system-shepherd-service-names @@ -147,6 +148,7 @@ boot-parameters-root-device boot-parameters-bootloader-name boot-parameters-bootloader-menu-entries + boot-parameters-store-crypto-devices boot-parameters-store-device boot-parameters-store-directory-prefix boot-parameters-store-mount-point @@ -301,6 +303,8 @@ directly by the user." (store-device boot-parameters-store-device) (store-mount-point boot-parameters-store-mount-point) (store-directory-prefix boot-parameters-store-directory-prefix) + (store-crypto-devices boot-parameters-store-crypto-devices + (default '())) (locale boot-parameters-locale) (kernel boot-parameters-kernel) (kernel-arguments boot-parameters-kernel-arguments) @@ -334,6 +338,13 @@ file system labels." (if (string-prefix? "/" device) device (file-system-label device)))))) + (define uuid-sexp->uuid + (match-lambda + (('uuid (? symbol? type) (? bytevector? bv)) + (bytevector->uuid bv type)) + (x + (warning (G_ "unrecognized uuid ~a at '~a'~%") x (port-filename por= t)) + #f))) =20 (match (read port) (('boot-parameters ('version 0) @@ -407,6 +418,24 @@ file system labels." ;; No store found, old format. #f))) =20 + (store-crypto-devices + (match (assq 'store rest) + (('store . store-data) + (match (assq 'crypto-devices store-data) + (('crypto-devices devices) + (if (list? devices) + (map uuid-sexp->uuid devices) + (begin + (warning (G_ "unrecognized crypto-device ~S at '~a'~%") + devices (port-filename port)) + '()))) + (_ + ;; No crypto-devices found + '()))) + (_ + ;; No store found, old format. + '()))) + (store-mount-point (match (assq 'store rest) (('store ('device _) ('mount-point mount-point) _ ...) @@ -520,6 +549,23 @@ from the initrd." (any file-system-needed-for-boot? users))) devices))) =20 +(define (operating-system-bootloader-crypto-devices os) + "Return the subset of mapped devices that the bootloader must open. +Only devices specified by uuid are supported." + (map mapped-device-source + (filter (match-lambda + ((and (=3D mapped-device-type type) + (=3D mapped-device-source source)) + (and (eq? luks-device-mapping type) + (or (uuid? source) + (begin + (warning (G_ "\ +mapped-device '~a' won't be mounted by the bootloader.~%") + source) + #f))))) + ;; XXX: Ordering is important, we trust the returned one. + (operating-system-boot-mapped-devices os)))) + (define (device-mapping-services os) "Return the list of device-mapping services for OS as a list." (map device-mapping-service @@ -1256,6 +1302,7 @@ a list of , to populate the \"old entries= \" menu." (root-fs (operating-system-root-file-system os)) (root-device (file-system-device root-fs)) (locale (operating-system-locale os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (params (operating-system-boot-parameters os root-device #:system-kernel-arguments? #t)) @@ -1269,6 +1316,7 @@ a list of , to populate the \"old entries= \" menu." (generate-config-file bootloader-conf (list entry) #:old-entries old-entries #:locale locale + #:store-crypto-devices crypto-devices #:store-directory-prefix (btrfs-store-subvolume-file-name file-systems)))) =20 @@ -1308,6 +1356,7 @@ such as '--root' and '--load' to ." (operating-system-initrd-file os))) (store (operating-system-store-file-system os)) (file-systems (operating-system-file-systems os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (locale (operating-system-locale os)) (bootloader (bootloader-configuration-bootloader (operating-system-bootloader os))) @@ -1330,6 +1379,7 @@ such as '--root' and '--load' to ." (locale locale) (store-device (ensure-not-/dev (file-system-device store))) (store-directory-prefix (btrfs-store-subvolume-file-name file-systems= )) + (store-crypto-devices crypto-devices) (store-mount-point (file-system-mount-point store))))) =20 (define (device->sexp device) @@ -1388,7 +1438,10 @@ being stored into the \"parameters\" file)." (mount-point #$(boot-parameters-store-mount-point params)) (directory-prefix - #$(boot-parameters-store-directory-prefix params)))) + #$(boot-parameters-store-directory-prefix params)) + (crypto-devices + #$(map device->sexp + (boot-parameters-store-crypto-devices params= ))))) #:set-load-path? #f))) =20 (define-gexp-compiler (operating-system-compiler (os ) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 86bd93966b..8f1668bab2 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -63,6 +63,8 @@ %test-separate-home-os %test-raid-root-os %test-encrypted-root-os + %test-encrypted-root-not-boot-os + %test-encrypted-root-and-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os %test-jfs-root-os @@ -796,6 +798,107 @@ build (current-guix) and then store a couple of full = system images.") (run-basic-test %encrypted-root-os command "encrypted-root-os" #:initialization enter-luks-passphrase))))) =20 + +;;; +;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. +;;; + +(define-os-with-source (%encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source) + ;; The OS we want to install. + (use-modules (gnu) (gnu tests) (srfi srfi-1)) + + (operating-system + (host-name "bootroot") + (timezone "Europe/Madrid") + (locale "en_US.UTF-8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vdb"))) + + (mapped-devices (list (mapped-device + (source + (uuid "12345678-1234-1234-1234-123456789abc")) + (target "root") + (type luks-device-mapping)))) + (file-systems (cons* (file-system + (device (file-system-label "my-boot")) + (mount-point "/boot") + (type "ext4")) + (file-system + (device "/dev/mapper/root") + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (users (cons (user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" "audio" "video"))) + %base-user-accounts)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %encrypted-root-not-boot-installation-script + ;; Shell script for an installation with boot not encrypted but root + ;; encrypted. + (format #f "\ +. /etc/profile +set -e -x +guix --version + +export GUIX_BUILD_OPTIONS=3D--no-grafts +ls -l /run/current-system/gc-roots +parted --script /dev/vdb mklabel gpt \\ + mkpart primary ext2 1M 3M \\ + mkpart primary ext2 3M 50M \\ + mkpart primary ext2 50M 1.6G \\ + set 1 boot on \\ + set 1 bios_grub on +echo -n \"~a\" | cryptsetup luksFormat --uuid=3D\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root +mkfs.ext4 -L my-root /dev/mapper/root +mkfs.ext4 -L my-boot /dev/vdb2 +mount LABEL=3Dmy-root /mnt +mkdir /mnt/boot +mount LABEL=3Dmy-boot /mnt/boot +echo \"Checking mounts\" +mount +herd start cow-store /mnt +mkdir /mnt/etc +cp /etc/target-config.scm /mnt/etc/config.scm +guix system build /mnt/etc/config.scm +guix system init /mnt/etc/config.scm /mnt --no-substitutes +sync +echo \"Debugging info\" +blkid +cat /mnt/boot/grub/grub.cfg +reboot\n" + %luks-passphrase "12345678-1234-1234-1234-123456789abc" + %luks-passphrase)) + +(define %test-encrypted-root-not-boot-os + (system-test + (name "encrypted-root-not-boot-os") + (description + "Test the manual installation on an OS with / in an encrypted partition +but /boot on a different, non-encrypted partition. This test is expensive= in +terms of CPU and storage usage since we need to build (current-guix) and t= hen +store a couple of full system images.") + (value + (mlet* %store-monad + ((image (run-install %encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source + #:script + %encrypted-root-not-boot-installation-script)) + (command (qemu-command/writable-image image))) + (run-basic-test %encrypted-root-not-boot-os command + "encrypted-root-not-boot-os" + #:initialization enter-luks-passphrase))))) + ;;; ;;; Btrfs root file system. diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index ad998156c2..02cf2a12a2 100644 --- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -385,6 +385,7 @@ STORE is an open connection to the store." (params (first (profile-boot-parameters %system-profile (list number)))) (locale (boot-parameters-locale params)) + (store-crypto-devices (boot-parameters-store-crypto-devices param= s)) (store-directory-prefix (boot-parameters-store-directory-prefix params)) (old-generations @@ -400,6 +401,7 @@ STORE is an open connection to the store." ((bootloader-configuration-file-generator bootloader) bootloader-config entries #:locale locale + #:store-crypto-devices store-crypto-devices #:store-directory-prefix store-directory-prefix #:old-entries old-entries))) (drvs -> (list bootcfg))) diff --git a/tests/boot-parameters.scm b/tests/boot-parameters.scm index a00b227551..c26ac83b7b 100644 --- a/tests/boot-parameters.scm +++ b/tests/boot-parameters.scm @@ -50,6 +50,8 @@ (define %default-store-directory-prefix (string-append "/" %default-btrfs-subvolume)) (define %default-store-mount-point (%store-prefix)) +(define %default-store-crypto-devices + (list (uuid "00000000-1111-2222-3333-444444444444"))) (define %default-multiboot-modules '()) (define %default-locale "es_ES.utf8") (define %root-path "/") @@ -67,6 +69,7 @@ (locale %default-locale) (store-device %default-store-device) (store-directory-prefix %default-store-directory-prefix) + (store-crypto-devices %default-store-crypto-devices) (store-mount-point %default-store-mount-point))) =20 (define %default-operating-system @@ -110,6 +113,8 @@ (with-store #t) (store-device (quote-uuid %default-store-device)) + (store-crypto-devices + (map quote-uuid %default-store-crypto-devices)) (store-directory-prefix %default-store-directory-prefix) (store-mount-point %default-store-mount-point)) (define (generate-boot-parameters) @@ -125,12 +130,14 @@ (sexp-or-nothing " (kernel-arguments ~S)" kernel-arguments) (sexp-or-nothing " (initrd ~S)" initrd) (if with-store - (format #false " (store~a~a~a)" + (format #false " (store~a~a~a~a)" (sexp-or-nothing " (device ~S)" store-device) (sexp-or-nothing " (mount-point ~S)" store-mount-point) (sexp-or-nothing " (directory-prefix ~S)" - store-directory-prefix)) + store-directory-prefix) + (sexp-or-nothing " (crypto-devices ~S)" + store-crypto-devices)) "") (sexp-or-nothing " (locale ~S)" locale) (sexp-or-nothing " (bootloader-name ~a)" bootloader-name) @@ -159,6 +166,7 @@ (test-read-boot-parameters #:store-device #false) (test-read-boot-parameters #:store-device 'false) (test-read-boot-parameters #:store-mount-point #false) + (test-read-boot-parameters #:store-crypto-devices #false) (test-read-boot-parameters #:store-directory-prefix #false) (test-read-boot-parameters #:multiboot-modules #false) (test-read-boot-parameters #:locale #false) @@ -254,6 +262,23 @@ (boot-parameters-store-mount-point (test-read-boot-parameters #:with-store #false))) =20 +(test-equal "read, store-crypto-devices, default" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices #false))) + +;; XXX: +(test-equal "read, store-crypto-devices, false" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices 'false))) + +;; XXX: +(test-equal "read, store-crypto-devices, string" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices "bad"))) + ;; For whitebox testing (define operating-system-boot-parameters (@@ (gnu system) operating-system-boot-parameters)) --=20 2.28.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 16 12:57:07 2020 Received: (at 25305) by debbugs.gnu.org; 16 Nov 2020 17:57:07 +0000 Received: from localhost ([127.0.0.1]:57118 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1keikV-0007Ps-0K for submit@debbugs.gnu.org; Mon, 16 Nov 2020 12:57:07 -0500 Received: from mout.web.de ([212.227.15.14]:34305) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1keikR-0007PL-Fh for 25305@debbugs.gnu.org; Mon, 16 Nov 2020 12:57:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1605549417; bh=+K14VMLxxOB7QX0cJU1qyBMF7CoMdyLBEfHigV72DlY=; h=X-UI-Sender-Class:To:Subject:From:Date; b=L0H7UdQuhUxljfEprQsm1eQGskLoDf5yajh1Sdk62KGeGNx8oiJqPgt9JOC5ri7TL KtGNAjmLRkfwbz/AdVn4owU0IlNgfm4zrdOG4ff1HzO3YDS5WZgAllaZtMvcveSAgB I7kygofGXBPFII6AFes1hOpjD4pqSkkToxPFYSR8= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from [192.168.178.74] ([88.152.184.82]) by smtp.web.de (mrweb002 [213.165.67.108]) with ESMTPSA (Nemesis) id 0LbZlL-1jyTAI01JD-00lGfD for <25305@debbugs.gnu.org>; Mon, 16 Nov 2020 18:56:57 +0100 To: 25305@debbugs.gnu.org Subject: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0 From: Jonathan Brielmaier Message-ID: <5fb878e0-31f3-b47f-8889-f68888d26564@web.de> Date: Mon, 16 Nov 2020 18:56:56 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.4.3 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Mp0Lge6xWbep6+vODgoMoSMeIyzIwLVlDdKOF2c2yCTCGsRcecZ ECzPix++aKEWUqNpInqQsmkg9zZ2RU1rv1OJuCaepirkVhLKFKCtdtEe91gU3TDdHybm5CG yAeeYDvLSaIbGHypBHQ8aaBHyQKI1WCySDX8x89HQnuVuFC3GjzpGxe1t2e+5eJSpMx3q3D /UNNSg7dQUpqjr6CrKvsg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:nUQqnA3DuM8=:exRl0kSuILR+6qNd3Yeo5p y16ijczKCssZXS/sCveHt8p60v1HKdgMoHRaxrxif4+bzRgHs/zaOTihh7xTP1fHEhI/37oo0 6531nBSEdQ8+tmx3rv/vmkR3eTMP8fCEtWrYVQsEUmnIZfYCN6gFLn5q/icDLrNkXuwmaZsNv AJdlbNlc1VOHb1WVti3TfURe0QIoJ0jMhgVIwYBVkm9xYslQzUUPauFXpY9rEzzvlRaorlbjf KOATN7Aba1DUbcf3ibLB+1K57ZB4eca1ZccEoEczJ6s3sR0Fe/+a4TiNhOLB7bnSpsjLFXjX6 WQC+sRBXKMpQO8eHoNVtDg3WAI97nJLJ4wUN0pVCeRHdhmef67hBuRGz7ubAL8wtfCk82Mu2P 8D5zNXycsShNSLLmVCnyMEqzwrtGJfH01SomdQvgF0prlKDneGIzNBaHY9KOZFXPSNbfvriW4 6aqHeuek/sCTrxsPn6g/uWfk/yIO4zQGk8ImaSQERCqUFV9YUbf1eKXQSRfPNQXjGx2YlTYNG xpX1hcRZNSYM8cuBFuAmWWM1XxNwflK5aFqDvA9Ur8UuO1O4rVWt0Rm08V8ozatlgxoGD4V03 cFQZwcGaVSzk7YDMOhT0th8p048NbsgZItaTIXoVmJHuhKwByExl/CFbUAp+BAb0zFuwW9Tnq OVO008UeWmPBCus7vG0rvxAnpmgCDt7tz3SqO7tP4EJxvDMNL0PL/9uLA68/sPtN9soOY0nsX i3+bIJGQL6JHjI4H1L5UVRES3EdWQdQsWDwOahCEmPsVs2H3EIbt1MwlMh65xD5R/XAcbi+g7 DIVTAubKrm69VUNJ+eLa3S80Y1IdHUddx+TNLBeMyc7KNVrcVgeIOyr3IAyZ5tPGI0SSCIQWK taHy0d8DFJkH9M5GZAfFnffGUj4kT8Bb0SwbDjph8= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25305 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) We have now pretty good LUKS support, but I don't know if we support this use case. I always have `/boot` encrypted as well... From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 18 11:54:27 2020 Received: (at 25305) by debbugs.gnu.org; 18 Nov 2020 16:54:27 +0000 Received: from localhost ([127.0.0.1]:36270 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kfQix-00010k-L7 for submit@debbugs.gnu.org; Wed, 18 Nov 2020 11:54:27 -0500 Received: from dd26836.kasserver.com ([85.13.145.193]:41036) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kfQiv-00010Y-Co for 25305@debbugs.gnu.org; Wed, 18 Nov 2020 11:54:26 -0500 Received: from localhost (80-110-126-103.cgn.dynamic.surfer.at [80.110.126.103]) by dd26836.kasserver.com (Postfix) with ESMTPSA id 75B543360150; Wed, 18 Nov 2020 17:54:23 +0100 (CET) Date: Wed, 18 Nov 2020 17:54:21 +0100 From: Danny Milosavljevic To: Jonathan Brielmaier Subject: Re: bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0 Message-ID: <20201118175421.185045c7@scratchpost.org> In-Reply-To: <5fb878e0-31f3-b47f-8889-f68888d26564@web.de> References: <87inq16km3.fsf@gnu.org> <5fb878e0-31f3-b47f-8889-f68888d26564@web.de> X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/D6Ej8epUkzte0uPyrf9b6Ri"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25305 Cc: 25305@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --Sig_/D6Ej8epUkzte0uPyrf9b6Ri Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 16 Nov 2020 18:56:56 +0100 Jonathan Brielmaier wrote: > We have now pretty good LUKS support, but I don't know if we support > this use case. I always have `/boot` encrypted as well... Unencrypted /boot and encrypted / is necessary to be able to use Heads (right now). (It measures /boot in order to find out whether it has been tampered with or not) If you want to be able to boot on a Heads system, either Heads needs to be modified to mount encrypted / , or there needs to be an unencrypted /boot. --Sig_/D6Ej8epUkzte0uPyrf9b6Ri Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl+1Ub0ACgkQ5xo1VCww uqWoOggAoA1dNkv2HPBNB81YomfflymLhCdr2L0aDs9+HQl5hu5o6jXKCrlpcjB3 tt1CJH9usAm2rjBjdDOKK53f1l4MQqjewceMNGurog5+eflb+Os9ZXUBGZxLkTHY Uj4VBhAaN+i3dYBW/ARDDyHSRkV4vD6LB9Bkl9t6U/Az4Nn/viyvLCxLNZbWHXRn 8FPCFEGJLXoz0cvWqaOoce9hS/Ls/4HB/7G3CbdJ0REFc2zjJ+sF1bffGERLKfEN 27OTWHk+AqiUOmMkzuZZCh2E4fSM4uaLWOOIjoydzmmJbCedzx0ZMjWLuQLYLqEm INZl40Z8bDezEkE8jiy0O14fBOtevQ== =fdf5 -----END PGP SIGNATURE----- --Sig_/D6Ej8epUkzte0uPyrf9b6Ri-- From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 18 12:47:03 2020 Received: (at 25305) by debbugs.gnu.org; 18 Nov 2020 17:47:03 +0000 Received: from localhost ([127.0.0.1]:36398 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kfRXq-0004Wu-RI for submit@debbugs.gnu.org; Wed, 18 Nov 2020 12:47:03 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46206) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kfRXo-0004WL-Mp for 25305@debbugs.gnu.org; Wed, 18 Nov 2020 12:47:01 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58184) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kfRXf-0005y3-Nr; Wed, 18 Nov 2020 12:46:53 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33686 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kfRXf-0000q3-5Q; Wed, 18 Nov 2020 12:46:51 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Danny Milosavljevic Subject: Re: bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0 References: <87inq16km3.fsf@gnu.org> <5fb878e0-31f3-b47f-8889-f68888d26564@web.de> <20201118175421.185045c7@scratchpost.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 Brumaire an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 18 Nov 2020 18:46:49 +0100 In-Reply-To: <20201118175421.185045c7@scratchpost.org> (Danny Milosavljevic's message of "Wed, 18 Nov 2020 17:54:21 +0100") Message-ID: <871rgqmuba.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 25305 Cc: 25305@debbugs.gnu.org, Jonathan Brielmaier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Danny Milosavljevic skribis: > (It measures /boot in order to find out whether it has been tampered with= or > not) (Off-topic.) I=E2=80=99d be curious to see how much of this approach makes = sense in the context of immutable deployments like Guix does. Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 14 08:11:48 2020 Received: (at 25305) by debbugs.gnu.org; 14 Dec 2020 13:11:48 +0000 Received: from localhost ([127.0.0.1]:51551 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kondj-0005G7-Jo for submit@debbugs.gnu.org; Mon, 14 Dec 2020 08:11:48 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kondh-0005Fp-LG; Mon, 14 Dec 2020 08:11:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51901) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kondc-0005nv-Ff; Mon, 14 Dec 2020 08:11:40 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40338 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kondb-0007ym-Fg; Mon, 14 Dec 2020 08:11:39 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas Subject: Re: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> Date: Mon, 14 Dec 2020 14:11:37 +0100 In-Reply-To: <87ft5ym3ic.fsf@gmail.com> ("Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Wed, 28 Oct 2020 22:42:19 +0100") Message-ID: <87k0tksfau.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 25305 Cc: 25305@debbugs.gnu.org, Mathieu Othacehe , 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Miguel, Miguel =C3=81ngel Arruga Vivas skribis: >>>From 52993db19da43699ea96ea16ebb051b9652934f9 Mon Sep 17 00:00:00 2001 > From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D > > Date: Sun, 25 Oct 2020 16:31:17 +0100 > Subject: [PATCH v4 5/5] system: Allow separated /boot and encrypted root. > > * gnu/bootloader/grub.scm (grub-configuration-file): New parameter > store-crypto-devices. > [crypto-devices]: New helper function. > [builder]: Use crypto-devices. > * gnu/machine/ssh.scm (roll-back-managed-host): Use > boot-parameters-store-crypto-devices to provide its contents to the > bootloader configuration generation process. > * gnu/tests/install.scm (%encrypted-root-not-boot-os, > %encrypted-root-not-boot-os): New os declaration. > (%encrypted-root-not-boot-installation-script): New script, whose contents > were initially taken from %encrypted-root-installation-script. > (%test-encrypted-root-not-boot-os): New test. > * gnu/system.scm (define-module): Export > operating-system-bootoader-crypto-devices and > boot-parameters-store-crypto-devices. > (): Add field store-crypto-devices. > (read-boot-parameters): Parse store-crypto-devices field. > [uuid-sexp->uuid]: New helper function extracted from > device-sexp->device. > (operating-system-bootloader-crypto-devices): New function. > (operating-system-bootcfg): Use > operating-system-bootloader-crypto-devices to provide its contents to > the bootloader configuration generation process. > (operating-system-boot-parameters): Add store-crypto-devices to the > generated boot-parameters. > (operating-system-boot-parameters-file): Likewise to the file with > the serialized structure. > * guix/scripts/system.scm (reinstall-bootloader): Use > boot-parameters-store-crypto-devices to provide its contents to the > bootloader configuration generation process. > * tests/boot-parameters.scm (%default-store-crypto-devices): New > variable. > (%grub-boot-parameters, test-read-boot-parameters): Use > %default-store-crypto-devices. > (tests store-crypto-devices): New tests. > --- > gnu/bootloader/grub.scm | 21 +++++++- > gnu/machine/ssh.scm | 3 ++ > gnu/system.scm | 57 ++++++++++++++++++++- > gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ > guix/scripts/system.scm | 2 + > tests/boot-parameters.scm | 29 ++++++++++- > 6 files changed, 210 insertions(+), 5 deletions(-) Woohoo! > --- a/gnu/bootloader/grub.scm > +++ b/gnu/bootloader/grub.scm > @@ -4,7 +4,7 @@ > ;;; Copyright =C2=A9 2017 Leo Famulari > ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe > ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen > -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas > +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas > ;;; Copyright =C2=A9 2020 Maxim Cournoyer > ;;; Copyright =C2=A9 2020 Stefan > ;;; > @@ -360,11 +360,14 @@ code." > (locale #f) > (system (%current-system)) > (old-entries '()) > + (store-crypto-devices '()) > store-directory-prefix) > "Return the GRUB configuration file corresponding to CONFIG, a > object, and where the store is available at > STORE-FS, a object. OLD-ENTRIES is taken to be a list of = menu > entries corresponding to old generations of the system. > +STORE-CRYPTO-DEVICES contain the UUIDs of the encrypted units that must > +be unlocked to access the store contents. > STORE-DIRECTORY-PREFIX may be used to specify a store prefix, as is requ= ired > when booting a root file system on a Btrfs subvolume." > (define all-entries > @@ -412,6 +415,21 @@ menuentry ~s { > (string-join (map string-join '#$modules) > "\n module " 'prefix)))))) >=20=20 > + (define (crypto-devices) > + (define (crypto-device->cryptomount dev) > + (if (uuid? dev) > + #~(format port "cryptomount -u ~a~%" > + ;; cryptomount only accepts UUID without the hypen. > + #$(string-delete #\- (uuid->string dev))) > + ;; Other type of devices aren't implemented. > + #~())) > + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) > + ;; XXX: Add luks2 when grub 2.06 is packaged. > + (modules #~(format port "insmod luks~%"))) > + (if (null? devices) > + devices > + (cons modules devices)))) What I don=E2=80=99t get is why we=E2=80=99re able to use an encrypted root= right now without emitting =E2=80=9Ccryptomount=E2=80=9D GRUB commands? > + (store-crypto-devices > + (match (assq 'store rest) > + (('store . store-data) > + (match (assq 'crypto-devices store-data) > + (('crypto-devices devices) > + (if (list? devices) > + (map uuid-sexp->uuid devices) > + (begin > + (warning (G_ "unrecognized crypto-device ~S at '~a'~%= ") > + devices (port-filename port)) > + '()))) You could avoid =E2=80=98if=E2=80=99 by having clauses like: (('crypto-devices (devices ...)) ;; =E2=80=A6 ) (('crypto-devices _) (warning =E2=80=A6) '()) (_ '()) > + (_ > + ;; No crypto-devices found > + '()))) > + (_ > + ;; No store found, old format. > + '()))) s/No store found/No crypto devices found/ ? > +(define (operating-system-bootloader-crypto-devices os) > + "Return the subset of mapped devices that the bootloader must open. > +Only devices specified by uuid are supported." > + (map mapped-device-source > + (filter (match-lambda > + ((and (=3D mapped-device-type type) > + (=3D mapped-device-source source)) > + (and (eq? luks-device-mapping type) > + (or (uuid? source) > + (begin > + (warning (G_ "\ > +mapped-device '~a' won't be mounted by the bootloader.~%") > + source) > + #f))))) > + ;; XXX: Ordering is important, we trust the returned one. > + (operating-system-boot-mapped-devices os)))) You can use =E2=80=98filter-map=E2=80=99 here. The rest LGTM! Make sure the =E2=80=9Cinstalled-os=E2=80=9D and =E2=80=9Ce= ncrypted-root-os=E2=80=9D system tests are still fine, and if they are, I guess you can go ahead. Thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 21 15:23:47 2020 Received: (at 25305-done) by debbugs.gnu.org; 21 Dec 2020 20:23:47 +0000 Received: from localhost ([127.0.0.1]:48358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krRid-0003gX-BZ for submit@debbugs.gnu.org; Mon, 21 Dec 2020 15:23:47 -0500 Received: from mail-wr1-f47.google.com ([209.85.221.47]:37226) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krRic-0003gG-5K; Mon, 21 Dec 2020 15:23:46 -0500 Received: by mail-wr1-f47.google.com with SMTP id i9so12418651wrc.4; Mon, 21 Dec 2020 12:23:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=QmRmRHDQDwoqQTiRARizkcIvve6sHhuASkndbXJes10=; b=DmRi8K63KiF03IF4uxMsLMMWh+RGB7U4Sil9tZ787+IOMUTWfV5O2obvaiXn8V0wLv UmY88fRUd7YdLvEdw3yGsUNESQbwzQuTDSegEZKupaLn7/+yodaf4XUckvP2uDElMuCo jWrjecMAsLgk95Vsy8ev1hgDyhou7wclHUvw6jcPIShuTfYeqG8LmYunLEUVGHZKD4+z wYDj77HWsUbiWWVo3p4ryaHrgO7Sxj7ePplfJhWwNePl4i2y/gJsC+QLd0ANZGoN3Gbg Ze2b99RJJIN/zt4Y0VymKHsNXvtx0xQtOQIa+EKah1axSvObdGKIvi1aI1mIxBV2k+Ck acKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=QmRmRHDQDwoqQTiRARizkcIvve6sHhuASkndbXJes10=; b=UGlI1dbYiOPnLdYGcX5Z6C4OujrCTIHH+xbg04/tC8B4+RVbXqTx/g7/tHrViHyX5/ RG/tA/xo/Z5kkk1WqfLqyilRcFu1bDdoNMnqMwoVRlr7NrBdWeq8xtuV6htcn9CIg13G IBR0tY3AxIfP59YGbjnIw6MXzjJX4kHIPOCyL8llCPa6YpFKQr4z8a1VldG00iRCOxrC DZpl0edeDAcUV7T8LqFB7jf63yD8L2O7MWeYiqJUCI1fP/NdmNoar7yP7RvbE1au6X/H VmvY9idJvBMxQuu77ZurUYHWjCxTf8/0LEd3U5aYTbMGP0KA7EffkzdsJDLxiaTGJ/0b wOFA== X-Gm-Message-State: AOAM5324QqBja+IDyLvycwDT7BwIMlSzQzBs3AhqT4pUWhZZBD2OdSV1 pHpZdudvcs0lsriYOfZLRbla7fQgVEc= X-Google-Smtp-Source: ABdhPJyfwapYtZbXywZ+0SvYWI3Qacthm49dcKI4QjhJQPqzGiHL1nhrYm1J4AG4v3u12lmRmwV0Bg== X-Received: by 2002:adf:c18d:: with SMTP id x13mr20103880wre.128.1608582219824; Mon, 21 Dec 2020 12:23:39 -0800 (PST) Received: from unfall (36.193.158.146.dynamic.jazztel.es. [146.158.193.36]) by smtp.gmail.com with ESMTPSA id z15sm29876363wrv.67.2020.12.21.12.23.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 12:23:39 -0800 (PST) From: =?utf-8?Q?Miguel_=C3=81ngel_Arruga_Vivas?= To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> <87k0tksfau.fsf@gnu.org> Date: Mon, 21 Dec 2020 21:23:36 +0100 In-Reply-To: <87k0tksfau.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 14 Dec 2020 14:11:37 +0100") Message-ID: <87k0tazz5j.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 25305-done Cc: 25305-done@debbugs.gnu.org, Mathieu Othacehe , 37851-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) Hi Ludo, First of all, thanks for your review. :-) Ludovic Court=C3=A8s writes: > Hi Miguel, > > Miguel =C3=81ngel Arruga Vivas skribis: >> + (define (crypto-devices) >> + (define (crypto-device->cryptomount dev) >> + (if (uuid? dev) >> + #~(format port "cryptomount -u ~a~%" >> + ;; cryptomount only accepts UUID without the hypen. >> + #$(string-delete #\- (uuid->string dev))) >> + ;; Other type of devices aren't implemented. >> + #~())) >> + (let ((devices (map crypto-device->cryptomount store-crypto-devices= )) >> + ;; XXX: Add luks2 when grub 2.06 is packaged. >> + (modules #~(format port "insmod luks~%"))) >> + (if (null? devices) >> + devices >> + (cons modules devices)))) > > What I don=E2=80=99t get is why we=E2=80=99re able to use an encrypted ro= ot right now > without emitting =E2=80=9Ccryptomount=E2=80=9D GRUB commands? The grub boot process goes more or less like this: 1. Firmware loads the initial image. 1.1. If that image is not the final one, it contains a "pointer" to the final one, which is loaded by it; this chain can be viewed as part of the firmware loading for this purpose. 2. The image code reads an initial configuration file, which is usually generated by grub-install/grub-mkstandalone. Here Grub is placing the needed the cryptomount lines for the devices needed to mount target in order to read grub.cfg and other modules. 3. grub.cfg is read (a.k.a. normal mode) and the usual boot process follows. The first configuration file is generated automatically by grub-install, which physically scans the target location (still /boot in our case) and inserts the needed insmod and cryptomount calls. When the target and the store don't share the device, the calls leading to the store must be inserted manually into grub.cfg. It could be easier to remove completely /boot and use a directory from the store, but that leads to more writes of the image, as each reconfiguration involving a change on the devices used for the store must end up returning a different store file name too. Nonetheless, that would leave /boot untouched if anybody wants to install their version of grub there for other purposes... >> + (_ >> + ;; No crypto-devices found >> + '()))) >> + (_ >> + ;; No store found, old format. >> + '()))) > > s/No store found/No crypto devices found/ ? The first comment is reached when crypto-devices isn't found in a (boot-parameters ... (store ...) ...) form. The second one is reached when (boot-parameters ...) form doesn't even contain a tag store in it. It follows the same pattern as store-device, as the old format didn't have a store element. On the other hand, I added a period to the first sentence as it was missing. 0:) >> +(define (operating-system-bootloader-crypto-devices os) >> + "Return the subset of mapped devices that the bootloader must open. >> +Only devices specified by uuid are supported." >> + (map mapped-device-source >> + (filter (match-lambda >> + ((and (=3D mapped-device-type type) >> + (=3D mapped-device-source source)) >> + (and (eq? luks-device-mapping type) >> + (or (uuid? source) >> + (begin >> + (warning (G_ "\ >> +mapped-device '~a' won't be mounted by the bootloader.~%") >> + source) >> + #f))))) >> + ;; XXX: Ordering is important, we trust the returned one. >> + (operating-system-boot-mapped-devices os)))) > > You can use =E2=80=98filter-map=E2=80=99 here. Thanks for the pointer! I've modified a bit tests/boot-parameters.scm to be extra-sure that I was doing that change OK, as I moved the or to a internal function for readability too. > The rest LGTM! Make sure the =E2=80=9Cinstalled-os=E2=80=9D and =E2=80= =9Cencrypted-root-os=E2=80=9D > system tests are still fine, and if they are, I guess you can go ahead. Pushed to master as f00e68ace0 with these changes, after running the tests and booting up my system. Happy hacking! Miguel From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 22 08:41:21 2020 Received: (at 25305-done) by debbugs.gnu.org; 22 Dec 2020 13:41:21 +0000 Received: from localhost ([127.0.0.1]:49246 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krhuj-0004mr-DR for submit@debbugs.gnu.org; Tue, 22 Dec 2020 08:41:21 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49020) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krhuh-0004mX-Bo; Tue, 22 Dec 2020 08:41:19 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58435) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1krhub-0008PZ-7Q; Tue, 22 Dec 2020 08:41:13 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43830 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1krhuW-0006Kd-EX; Tue, 22 Dec 2020 08:41:08 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas Subject: Re: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> <87k0tksfau.fsf@gnu.org> <87k0tazz5j.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 =?utf-8?Q?Niv=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 22 Dec 2020 14:41:07 +0100 In-Reply-To: <87k0tazz5j.fsf@gmail.com> ("Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Mon, 21 Dec 2020 21:23:36 +0100") Message-ID: <8735zy2c24.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 25305-done Cc: 25305-done@debbugs.gnu.org, Mathieu Othacehe , 37851-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Miguel =C3=81ngel Arruga Vivas skribis: > Pushed to master as f00e68ace0 with these changes, after running the > tests and booting up my system. Woohoo, thank you! Ludo=E2=80=99. From unknown Sun Jun 22 00:16:16 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 20 Jan 2021 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator