From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 07:07:20 2019 Received: (at submit) by debbugs.gnu.org; 21 Oct 2019 11:07:20 +0000 Received: from localhost ([127.0.0.1]:55812 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMVWy-0006bW-B8 for submit@debbugs.gnu.org; Mon, 21 Oct 2019 07:07:20 -0400 Received: from lists.gnu.org ([209.51.188.17]:38869) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMVWw-0006bO-C2 for submit@debbugs.gnu.org; Mon, 21 Oct 2019 07:07:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47181) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iMVWu-0001mf-RT for bug-guix@gnu.org; Mon, 21 Oct 2019 07:07:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iMVWt-0005sP-Kv for bug-guix@gnu.org; Mon, 21 Oct 2019 07:07:16 -0400 Received: from mail-wm1-x330.google.com ([2a00:1450:4864:20::330]:35607) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iMVWs-0005ry-VD for bug-guix@gnu.org; Mon, 21 Oct 2019 07:07:15 -0400 Received: by mail-wm1-x330.google.com with SMTP id 14so5671042wmu.0 for ; Mon, 21 Oct 2019 04:07:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=k2DHQoIvdyDfwub8rED9KT2y2K13cpdqpQ8h9Ep9eIg=; b=bm+EL24Q/n1HwFTKYn785gO9TVINuUf5seSbrQrTh2TgXTqZ6+ITv1hbaAmUP4muCE ubK9IuJhGip5QqMUxE3hYzIUpKjcVGb3t8uaIdtBGC9dRFzkNQ3jSZwhfrVvdkTKOBfy Dw1zHKnb3PILNXf54vUqmi1Fpm02fP0Teqc1p8h4wiitOL87bhVAmZzlf4JNDYhTiOPv brn20OgNFVJwp2ONjpB1hjmm9iHh1uxin7TWldmdOKhcY5BAAuE4clp4jXMmkdfNgSZQ XGGtV4dHAZw2l0BIJXsg5MGttXDh9gkvLO9FGKeth5oDz+VR+uSIeX9JMBRAF6jW8bPV /K7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=k2DHQoIvdyDfwub8rED9KT2y2K13cpdqpQ8h9Ep9eIg=; b=KXOgmMpGq2qn36sMRZUcPjL5kETQzBUyCKSzIEllb9jgTvLr/fthgteFaOvWH0GjAT MWBc67qLdi1rRCI1NdPHouorgkyPcgy4H2AZN7TXh5QxH1ogzgRXC6Cx0LVQmzfq/0tT iUI8+p43LXE1nGetxLXF1gpkUlIc1utwH8/Nvn3ob6tntceL8j9earcYPKq2+q5o2K9J Ac2tTlIDHRM4ONtdFEGPhYGD5LSQPYMwdjsLO9Opaa/CDW4RPF1kzKsHq+TZSJ8KaLuJ zd6lUzg+aF5c8Ok4mQ3LAyjB6SER88d5nT3NVgfkBmAVERd5maXblsP8gAu6eHuakXcY Y6Ww== X-Gm-Message-State: APjAAAVbVGmxUS8P80xfRk2YgOwN1lx5VvgUq4YJ2gNk3omsTGaQt+4/ 5QmEWKKkwYOWzlwMmMKsZHUQHafL X-Google-Smtp-Source: APXvYqw4o7L+8stbg1srL1HkybUYWEdU1kKI+/siDMuk7vr0S5ZfZm1f3vXkeDuntbjsBTo59Pj7Zg== X-Received: by 2002:a1c:230e:: with SMTP id j14mr9481353wmj.156.1571656033005; Mon, 21 Oct 2019 04:07:13 -0700 (PDT) Received: from localhost (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id z15sm14874256wrr.19.2019.10.21.04.07.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Oct 2019 04:07:12 -0700 (PDT) Date: Mon, 21 Oct 2019 13:07:09 +0200 From: Miguel Arruga Vivas To: bug-guix@gnu.org Subject: Grub installation only checks for encrypted /boot folder Message-ID: <20191021130709.21d6ac20@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::330 X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) Hi, The following configuration results in an unbootable system. The root partition must be manually mounted with cryptomount in order to boot the system. The core issue is that grub unencrypts automatically, as GRUB_ENABLE_CRYPTODISK=y was provided during installation, the /boot partition, but not the partition which contains /gnu/store. Happy hacking! Miguel ==================== config.scm ==================== ;; .... (operating-system ;; ... (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda"))) (mapped-devices (list (mapped-device (source (uuid "uuid root device")) (target "root") (type luks-device-mapping)) (mapped-device (source (uuid "uuid boot device")) (target "boot") (type luks-device-mapping)))) (file-systems (cons* (file-system (mount-point "/") (device "/dev/mapper/root") (type "btrfs") (dependencies mapped-devices)) (file-system (mount-point "/boot") (device "/dev/mapper/boot") (type "ext4") (dependencies mapped-devices)) %base-file-systems))) ==================== config.scm ==================== From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 08:48:12 2019 Received: (at 37851) by debbugs.gnu.org; 21 Oct 2019 12:48:13 +0000 Received: from localhost ([127.0.0.1]:55910 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMX6a-0004ny-KG for submit@debbugs.gnu.org; Mon, 21 Oct 2019 08:48:12 -0400 Received: from mail-wm1-f53.google.com ([209.85.128.53]:55299) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMX6X-0004nj-U4 for 37851@debbugs.gnu.org; Mon, 21 Oct 2019 08:48:10 -0400 Received: by mail-wm1-f53.google.com with SMTP id g24so4004117wmh.5 for <37851@debbugs.gnu.org>; Mon, 21 Oct 2019 05:48:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version; bh=xxoqhtGwfpRqv3KYcl8rQF5muCqmNiFKMNMJsmResJ4=; b=jnBHLBF9GLRtFBv/OnxEX2c0033Vw0xRyszFNFORMTbYcyQbouOuSXijnzh84tkpZo 0hJXHaSk+pYma9g45RHBjNniR94iFlXO0SQeut8P1ed4Eh45spMUvKg4cmpgdHsWVEA7 PlcabqXFzAjGzktSGMg62gaBzxu6BZ85Lo0WVMoUGmrXknSYd5SkvpWTmy23QQyTVvpx InMtAB2jjrw8LCUZyE0ov+IgaDwYR8kXR8B7YtVByyYkVtGBUIMKZA+s9ZeDTzmnyhD+ GrsStqxGzY1J9wIOKNWy+RSsEPdFlAnyR6kZ8Vciuudko4wkceT54uXoIIK6KTcjRHpK VtWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version; bh=xxoqhtGwfpRqv3KYcl8rQF5muCqmNiFKMNMJsmResJ4=; b=OLTJ8AcqkBSsX8ZLyeiWFAQYKB7F1bPl7rO9VjlSBFr+1uqCYI2Kda58IJsqb0HBO0 Aa8vYhlY1XWWwmnfNiCdIwZs1i4+OS0HB4IfF5JxzYbV9cNtN1e66SqumVRr0Owr2eWa VAi2uvn8CKiyNmrSIywTirJLpfcpmOTCr5w5+zlJi8S4Tk7ddlsG2VZupt3nMWljtwfO TPsJaLjYqmvTbl1Irb4kojO6c1gXrtEYf031xMrjIUygrWnkTWiOfjs+jVM9D1sQZhPw nGNV9iPYcAKEy1kB9USnzzy4JzOGmXcYuSIF0VtQwCTsXCP5p5ASisP4XNfWXfy0Y2wb RDKg== X-Gm-Message-State: APjAAAWnAcSivqjbKHac156pPrMNhIM7a7DtkYugkb6Mq+phQjU89pCY +ewvllRWOU/wVQQhcMZAj7aBT+tX X-Google-Smtp-Source: APXvYqy7K1GgureAGGspoPR0K9VYqN4SeBDZCYfOhRR20AvYGOAhig4oWuHEYigxF5KKuhVMOfZCOA== X-Received: by 2002:a7b:cc06:: with SMTP id f6mr18531791wmh.158.1571662083683; Mon, 21 Oct 2019 05:48:03 -0700 (PDT) Received: from localhost (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id x7sm17329590wrg.63.2019.10.21.05.48.03 for <37851@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Oct 2019 05:48:03 -0700 (PDT) Date: Mon, 21 Oct 2019 14:47:58 +0200 From: Miguel Arruga Vivas To: 37851@debbugs.gnu.org Subject: Re: Grub installation only checks for encrypted /boot folder Message-ID: <20191021144758.3d8cfe95@gmail.com> In-Reply-To: <20191021130709.21d6ac20@gmail.com> References: <20191021130709.21d6ac20@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/h3seKrLtpx/8H6rIaw5TuPN" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 37851 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) --MP_/h3seKrLtpx/8H6rIaw5TuPN Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi again, Attached can be found a workaround to mount all encrypted partitions. There is no way to tell the devices to mount without changing boot-parameters, where I'd add another field with the needed mapped devices (a traversal onto the mapped-device dependency tree of /gnu/store). Do you think this is a good idea? At least I think it's the best way to encode the dependencies into the grub.cfg file, even though the typical graph will contain 0 or 1 nodes. Ideas? Best regards, Miguel --MP_/h3seKrLtpx/8H6rIaw5TuPN Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-system-Mount-luks-devices-on-boot.patch >From 9b50e2d8eb8b744595a54a9543993eb4e3813742 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20=C3=81ngel=20Arruga=20Vivas?= Date: Mon, 21 Oct 2019 14:35:02 +0200 Subject: [PATCH] system: Mount luks devices on boot. * gnu/bootloader/grub.scm (grub-configuration-file)[builder]: Mount all encrypted partitions. --- gnu/bootloader/grub.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index d984d5f5e3..b29477ec71 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -369,6 +369,7 @@ keymap ~a~%" keymap))))) (format port "# This file was generated from your Guix configuration. Any changes # will be lost upon reconfiguration. +cryptomount -a ") #$sugar #$keyboard-layout-config -- 2.23.0 --MP_/h3seKrLtpx/8H6rIaw5TuPN-- From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 10:55:47 2019 Received: (at 37851) by debbugs.gnu.org; 21 Oct 2019 14:55:47 +0000 Received: from localhost ([127.0.0.1]:57625 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMZ63-00008d-In for submit@debbugs.gnu.org; Mon, 21 Oct 2019 10:55:47 -0400 Received: from mail-wm1-f48.google.com ([209.85.128.48]:37257) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMZ61-00008M-ES for 37851@debbugs.gnu.org; Mon, 21 Oct 2019 10:55:46 -0400 Received: by mail-wm1-f48.google.com with SMTP id f22so13134997wmc.2 for <37851@debbugs.gnu.org>; Mon, 21 Oct 2019 07:55:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=cBNoZd/aSzXBAp9W4dH8tp+B7B9Gui6DXH9ROR/yZic=; b=JZVfEW0NImRvVZvbLD7GCiigRwYhxeGgWMZo/H7t3r4M5xKQ3ulJr4n5X+x7P/qhiZ fkzNwoCWP6q5r/QIBNypM/pHPJ0rseU+H7rFBjS+eFVYutyqWt7ozhd9u3ZYs/Os1XIZ /oFX8UbvEonOsYh7p9FLCZdTTEpfYdqhpXmKxhAFAxKzGYpHyNgLL0Vrgo5eBDjdo4ns zHXL5ClpjSe37ohJ8rGGJo2NlN9ltWAgtJN/fnKH4uFG2MSGICrGPiwl5GY9sMB1FlGV hi4nJbvM2VvpACr4GRuYT0nQr8jcNWVBtFFhhs9qvoH6toh8ZRNR/FlRNEOOEK6qK6wO RBhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-transfer-encoding; bh=cBNoZd/aSzXBAp9W4dH8tp+B7B9Gui6DXH9ROR/yZic=; b=NCOGnVbmVV7BsQ1GMiGbC0D8cXjFcj9dakO0ar6N/8u7HEaeXsVDN7YndtbBNIG+d5 s+uYM1Dp2e0c+SjMacmPTcXTs9Dtu7AuJfdNq3eXp1r8/fLPLrb1LYvY8nPv9x03HDvS HXLtly9/9mUCCFdIiY6o9sYnPlfqwfTxXR10aOnZkgdtseVyuNeA4cN5bAA2uqPAytaZ ogShi87u2hvG1BueZoepIdE7V92+coE3NR2MYtxWvGAYRUsx2nLUxC4X4Y4F5F0rYSCs PLmVlg8bAp7PmY1O4XlXEE9naVa/n4OkVlKH0kB2+d0cQKYUVipR8yduGl8KdCRBFjie ykDQ== X-Gm-Message-State: APjAAAVdE7LPXVsv1owJkSIs5/bjWgNcOpWYsf5orjYblOZswj50GcJZ 6mVb5l3wtW0sNocuv5RoCbm5bsP5i1Q= X-Google-Smtp-Source: APXvYqxetOPaGe3sGY4EvJ78CYUVnC/X+LdmDPwc3gqJfcgYcywIc5N4p66sLpboyo3k75jLqvsgMw== X-Received: by 2002:a1c:6386:: with SMTP id x128mr14656348wmb.41.1571669739068; Mon, 21 Oct 2019 07:55:39 -0700 (PDT) Received: from localhost (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id d8sm2075386wrr.71.2019.10.21.07.55.38 for <37851@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Oct 2019 07:55:38 -0700 (PDT) Date: Mon, 21 Oct 2019 16:55:36 +0200 From: Miguel Arruga Vivas To: 37851@debbugs.gnu.org Subject: bug#37851 Message-ID: <20191021165536.2bf8cde9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 37851 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) merge 25305 37851 quit From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 11:08:01 2019 Received: (at control) by debbugs.gnu.org; 21 Oct 2019 15:08:01 +0000 Received: from localhost ([127.0.0.1]:57633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMZHs-0000Rl-Rl for submit@debbugs.gnu.org; Mon, 21 Oct 2019 11:08:01 -0400 Received: from mail-wr1-f44.google.com ([209.85.221.44]:42275) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMZHr-0000RX-6E for control@debbugs.gnu.org; Mon, 21 Oct 2019 11:07:59 -0400 Received: by mail-wr1-f44.google.com with SMTP id r1so4616539wrs.9 for ; Mon, 21 Oct 2019 08:07:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:message-id:to:subject; bh=xlUTrPZPwJjfsSaBjZHlLjbtdEewg2WT1No9LzOYygk=; b=PDq7rpf9l7zhDVjEmfw6Nw5+46ZxWp7/Xsq/gnl18UqKOBshQhf4sk0emVs4e6q7T/ /zpwVutVFizNmSmzDjOvg4yUvFSnJ5XDO9jPHoI7RJypHZ2pIZUCWyhhrJ1yFbKIi/5Z Onqji92zIdg0hF2wnD9bkvQVkPeeo0WY4GEeqJLr+4jJ+/V4d031YHbbp/OaTVoM7wR3 PbnFSnKg7JQQDy1PxxKY2qy6szIKV6NdctQNUYEMM5TPHqmdgJiJRvIbmRzfmsEj/hJD bWGHiim0EpoL+OH8nC8BW6ZuzDEU9ycLsvFxXYb7y1hHvPnvX6y54hVBc277L0chog6g Leqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:message-id:to:subject; bh=xlUTrPZPwJjfsSaBjZHlLjbtdEewg2WT1No9LzOYygk=; b=ohslgRN8mEZooggcL426LL4SKa9jy/xmOT8q/f3qC0rGjULiT3eunQDKZUhw+m9GdL ozE1Wbfff9LhwAjOEZjnwMnfodDnIFS33g6mGrsnYGo0IDjQ68F8E2eHZMHQqK7FUm6x CGPPifwZ/FSAjoDVFcgY2UAxUvltuzOVHn9XviASz+rdxdFd80C5m400DX1nUxJkY/Gm 9pGmaUuqkkVVf98PLoaR3ue2o4atpv6k69Ic8Ij5xgU0h9Q6bZjzUZ1M+ddRRA9wHmPt +Pnm0FiX68kFvOKkttJn+zp+74MaOgCgcTa75sIgF/8VO0e+tiafZBCvb+/rn0JO5KC3 jIQA== X-Gm-Message-State: APjAAAVxI/365LZNWkZqTWtG/YaRbwS8Pi1nJaRPcwsFP5EeKMynxIJS +zV31yYa4ocS4TsIlgvWTGacG/ATszk= X-Google-Smtp-Source: APXvYqzQyIp6tzwrvACvGxIZ+Zj7FQ56YFbdPSoMwrVzSQExEHegkaqxAnA1C3VdXbx2HT6FcqDe1w== X-Received: by 2002:adf:f101:: with SMTP id r1mr2639328wro.320.1571670472773; Mon, 21 Oct 2019 08:07:52 -0700 (PDT) Received: from unfall (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id z125sm21398473wme.37.2019.10.21.08.07.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Oct 2019 08:07:52 -0700 (PDT) From: Miguel X-Google-Original-From: Miguel Date: Mon, 21 Oct 2019 17:07:43 +0200 Message-Id: <8736fmjfwg.fsf@unfall.i-did-not-set--mail-host-address--so-tickle-me> To: control@debbugs.gnu.org Subject: control message for bug #37851 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) merge 37851 25305 quit From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 22 10:13:00 2019 Received: (at 37851) by debbugs.gnu.org; 22 Oct 2019 14:13:00 +0000 Received: from localhost ([127.0.0.1]:60245 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMuuC-0000PH-Bv for submit@debbugs.gnu.org; Tue, 22 Oct 2019 10:13:00 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35539) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMuuA-0000P5-EJ for 37851@debbugs.gnu.org; Tue, 22 Oct 2019 10:12:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57185) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iMuu5-0005Qx-9T; Tue, 22 Oct 2019 10:12:53 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=39378 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iMuu3-0000c3-6S; Tue, 22 Oct 2019 10:12:52 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Miguel Arruga Vivas Subject: Re: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 1 Brumaire an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 22 Oct 2019 16:12:49 +0200 In-Reply-To: <20191021144758.3d8cfe95@gmail.com> (Miguel Arruga Vivas's message of "Mon, 21 Oct 2019 14:47:58 +0200") Message-ID: <87lftc27j2.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37851 Cc: 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hola Miguel, Miguel Arruga Vivas skribis: > Attached can be found a workaround to mount all encrypted partitions. > There is no way to tell the devices to mount without changing > boot-parameters, where I'd add another field with the needed mapped > devices (a traversal onto the mapped-device dependency tree > of /gnu/store). Do you think this is a good idea? At least I think > it's the best way to encode the dependencies into the grub.cfg file, > even though the typical graph will contain 0 or 1 nodes. > From 9b50e2d8eb8b744595a54a9543993eb4e3813742 Mon Sep 17 00:00:00 2001 > From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D > > Date: Mon, 21 Oct 2019 14:35:02 +0200 > Subject: [PATCH] system: Mount luks devices on boot. > > * gnu/bootloader/grub.scm (grub-configuration-file)[builder]: Mount all > encrypted partitions. > --- > gnu/bootloader/grub.scm | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm > index d984d5f5e3..b29477ec71 100644 > --- a/gnu/bootloader/grub.scm > +++ b/gnu/bootloader/grub.scm > @@ -369,6 +369,7 @@ keymap ~a~%" keymap))))) > (format port > "# This file was generated from your Guix configuratio= n. Any changes > # will be lost upon reconfiguration. > +cryptomount -a Does that cause GRUB to mount all the LUKS partitions it was aware of at installation time, or does it cause it to scan all the partitions in search of a LUKS signature? In the latter case that wouldn=E2=80=99t be great, but in the former case it sounds like we could go ahead (well, with a comment above explaining what this does. :-)). Thanks for working on it! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 26 21:00:51 2019 Received: (at 37851) by debbugs.gnu.org; 27 Oct 2019 01:00:51 +0000 Received: from localhost ([127.0.0.1]:41556 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iOWvL-0007YI-0g for submit@debbugs.gnu.org; Sat, 26 Oct 2019 21:00:51 -0400 Received: from mail-wm1-f53.google.com ([209.85.128.53]:35998) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iOWvF-0007Xx-U8 for 37851@debbugs.gnu.org; Sat, 26 Oct 2019 21:00:46 -0400 Received: by mail-wm1-f53.google.com with SMTP id c22so5622644wmd.1 for <37851@debbugs.gnu.org>; Sat, 26 Oct 2019 18:00:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version; bh=K3fDN/fVNxWspNFvfDS7iNgzaH3K+iUS6+j9/DHu3Mg=; b=KQ+EkX2FQjSYEgKyDwykThoXvzpvxh1uO3fB5uPwNKJ1z+1jY1qaVK0BaR8GXsExfT BkjI9FWKFjz43O9qfBMtJAA89qCPiaJg+ZXbKDSJsr+x2FcwGwWECxrrQmnubuP1xi6G k57S5kZHLbn2BiYEHBWLKdMqepZDrH6eUNomorG0td/7sqs5+E2t+10X0yG0IyDTsB8h JKTQtowojFyQqS4//QvlelRB8LnHXhBSpnen++U6s5SWlIXV+6d+aCtwTgQl3h7vPHiw yuYk1eN8X9vaDi8mUWLY5xLLX0hJVtQwDDG661zd3vi8PytIUZA9jDojkRDonmhUSgfP xsPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version; bh=K3fDN/fVNxWspNFvfDS7iNgzaH3K+iUS6+j9/DHu3Mg=; b=UMt55TOfoD1IncQ+QOCR747tnrnvRxLBuqNPlfI2u76eoDtZj4rSxBX7FaWMSam3G1 QUCUevAuQaQF7oKRRVbm+5oJ7eV3l1WXEcOinK3YYA9Pq5ycNxSMM5cM68PhRSpDEmm4 xNvYkyCO3t0Z8BbKtzAUG1p81D1MfjBLCg8zq6JluA2qsRYoYSbK7QeCQmdRdok0TQGL 8/SmL8iqHVbcBRfKn+1AFE2KRyQSBMhpkwm6mu/H2j1ZHIyfM9H3dC7RNbLPG7JqiMqq Kyiu3wiRt1jDwKSwKHESYzcWCTxE3ALcAY7h9WRIzRoxMA9RXLwtOfyuGPv9xcQCCG6r ijGw== X-Gm-Message-State: APjAAAUutgwzzqJGbr8++wPlcKSM3pXvmR+Zou2v5OvlGsDhD0FV4m4y R8aKFfUAU2NiXkZSYAXbaic= X-Google-Smtp-Source: APXvYqywPTF1kuhBv8VmfnumYkRGtq61Nqz/3zRPX9kkopuJMqFGDu5ktCbtLSq9sCzXraYoZTtWag== X-Received: by 2002:a1c:5542:: with SMTP id j63mr8450080wmb.119.1572138039768; Sat, 26 Oct 2019 18:00:39 -0700 (PDT) Received: from localhost (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id n22sm5888728wmk.19.2019.10.26.18.00.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Oct 2019 18:00:39 -0700 (PDT) Date: Sun, 27 Oct 2019 02:00:31 +0100 From: Miguel Arruga Vivas To: Ludovic =?UTF-8?B?Q291cnTDqHM=?= Subject: Re: bug#37851: Grub installation only checks for encrypted /boot folder Message-ID: <20191027020031.18666b75@gmail.com> In-Reply-To: <87lftc27j2.fsf@gnu.org> References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/OitJnvsaZ7SGEN.b_swZiR3" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37851 Cc: 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --MP_/OitJnvsaZ7SGEN.b_swZiR3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Ludo=E2=80=99, El Tue, 22 Oct 2019 16:12:49 +0200 Ludovic Court=C3=A8s escribi=C3=B3: > Hola Miguel, >=20 > Miguel Arruga Vivas skribis: > > (...) > > +cryptomount -a =20 >=20 > Does that cause GRUB to mount all the LUKS partitions it was aware of > at installation time, or does it cause it to scan all the partitions > in search of a LUKS signature? That patch is the first one, it mounts everything it can find, unlike this one. The only option I've seen was to modify boot-parameters (as in #35394, wink wink nudge nudge) in order to store the needed partitions. I've reduced it this time to one patch, is it somehow easier to read this way? I could split it in two stages (one add the boot-parameters field, the other one to make use of it) or squash the three for the other feature into one if that easier for the review. The main issues I've found is that the source of the device-mappings needed for boot up has to be declared by the UUID to ensure they are not system dependent. Also, the warning is shown several times and the message isn't quite good, any idea how to fix/improve this? Happy hacking! Miguel --MP_/OitJnvsaZ7SGEN.b_swZiR3 Content-Type: text/x-patch Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename=0001-system-Use-of-mapped-devices-for-boot-process.patch =46rom f6438d1175a1d60d842ab502255a7685b05f4e7d Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D Date: Sun, 27 Oct 2019 01:35:59 +0200 Subject: [PATCH] system: Use of mapped-devices for boot process. * gnu/bootloader/depthcharge.scm (depthcharge-configuration-file): New parameter crypto-devices, not used. * gnu/bootloader/extlinux.scm (extlinux-configuration-file): Likewise. * gnu/bootloader/grub.scm (grub-configuration-file)[declaration]: New parameter crypto-devices, used to ensure unlock every encrypted partition needed by the bootloader. [device-uuid->gexp]: New function, emits cryptomount calls. [body]: Map crypto-devices with device-uuid->gexp. * gnu/machine/ssh.scm (roll-back-managed-host): Use the crypto-devices stored from the selected generation in the call to the bootloader configuration generator. * gnu/scripts/system.scm (reinstall-bootloader): Likewise. * gnu/system.scm (define-module)[export]: Export new accessor boot-parameters-crypto-devices. (boot-parameters)[crypto-devices]: New field. (read-boot-parameters)[uuid-sexp->uuid]: New function. (read-boot-parameters)[body]: Read new field crypto-devices. (operating-system-boot-parameters-file): Add the new field. (operating-system-boot-crypto-devices): New function. Warn about devices without an UUID. They are ignored as they would be dependant on the hardware configuration. (operating-system-bootcfg): Use operating-system-boot-crypto-devices in the call to the bootloader configuration generator. (operating-system-boot-parameters): Use operating-system-boot-crypto-devices to store the needed devices. --- gnu/bootloader/depthcharge.scm | 1 + gnu/bootloader/extlinux.scm | 1 + gnu/bootloader/grub.scm | 14 ++++++++++++ gnu/machine/ssh.scm | 3 +++ gnu/system.scm | 40 ++++++++++++++++++++++++++++++++++ guix/scripts/system.scm | 2 ++ 6 files changed, 61 insertions(+) diff --git a/gnu/bootloader/depthcharge.scm b/gnu/bootloader/depthcharge.scm index 58cc3f3932..fe4302e93c 100644 --- a/gnu/bootloader/depthcharge.scm +++ b/gnu/bootloader/depthcharge.scm @@ -82,6 +82,7 @@ (define* (depthcharge-configuration-file config entries #:key (system (%current-system)) + (crypto-devices '()) (old-entries '())) (match entries ((entry) diff --git a/gnu/bootloader/extlinux.scm b/gnu/bootloader/extlinux.scm index 40108584a8..3defeab3dd 100644 --- a/gnu/bootloader/extlinux.scm +++ b/gnu/bootloader/extlinux.scm @@ -28,6 +28,7 @@ (define* (extlinux-configuration-file config entries #:key (system (%current-system)) + (crypto-devices '()) (old-entries '())) "Return the U-Boot configuration file corresponding to CONFIG, a object, and where the store is available at STORE-F= S, a diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index d984d5f5e3..8b5cf848af 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2016 Chris Marusich ;;; Copyright =C2=A9 2017 Leo Famulari ;;; Copyright =C2=A9 2017 Mathieu Othacehe +;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas ;;; ;;; This file is part of GNU Guix. ;;; @@ -316,6 +317,7 @@ code." (define* (grub-configuration-file config entries #:key (system (%current-system)) + (crypto-devices '()) (old-entries '())) "Return the GRUB configuration file corresponding to CONFIG, a object, and where the store is available at @@ -345,6 +347,17 @@ entries corresponding to old generations of the system= ." #$(grub-root-search device kernel) #$kernel (string-join (list #$@arguments)) #$initrd)))) + (define (device-uuid->gexp device-uuid) + (let* ((uuid-string (uuid->string device-uuid)) + ;; XXX: My tests only worked with UUID values without + ;; any hyphen character. + (filtered-uuid (string-filter (lambda (c) + (not (eqv? c #\-))) + uuid-string))) + #~(format port "# Unlock encrypted device ~a +cryptomount -u ~a~%" + #$uuid-string + #$filtered-uuid))) (define sugar (eye-candy config (menu-entry-device (first all-entries)) @@ -370,6 +383,7 @@ keymap ~a~%" keymap))))) "# This file was generated from your Guix configuration.= Any changes # will be lost upon reconfiguration. ") + #$@(map device-uuid->gexp crypto-devices) #$sugar #$keyboard-layout-config (format port " diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm index 6e3ed0e092..e8750bbe81 100644 --- a/gnu/machine/ssh.scm +++ b/gnu/machine/ssh.scm @@ -435,11 +435,14 @@ an environment type of 'managed-host." (drop boot-parameters 2))) (bootloader -> (operating-system-bootloader (machine-operating-system machine))) + (crypto-devices -> (boot-parameters-crypto-devices + (second boot-parameters))) (bootcfg (lower-object ((bootloader-configuration-file-generator (bootloader-configuration-bootloader bootloader)) bootloader entries + #:crypto-devices crypto-devices #:old-entries old-entries))) (remote-result (machine-remote-eval machine remote-= exp))) (when (eqv? 'error remote-result) diff --git a/gnu/system.scm b/gnu/system.scm index a353b1a5c8..9835fddf89 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -5,6 +5,7 @@ ;;; Copyright =C2=A9 2016 Chris Marusich ;;; Copyright =C2=A9 2017 Mathieu Othacehe ;;; Copyright =C2=A9 2019 Meiyo Peng +;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas ;;; ;;; This file is part of GNU Guix. ;;; @@ -119,6 +120,7 @@ boot-parameters-bootloader-menu-entries boot-parameters-store-device boot-parameters-store-mount-point + boot-parameters-crypto-devices boot-parameters-kernel boot-parameters-kernel-arguments boot-parameters-initrd @@ -256,6 +258,7 @@ directly by the user." boot-parameters-bootloader-menu-entries) (store-device boot-parameters-store-device) (store-mount-point boot-parameters-store-mount-point) + (crypto-devices boot-parameters-crypto-devices) (kernel boot-parameters-kernel) (kernel-arguments boot-parameters-kernel-arguments) (initrd boot-parameters-initrd)) @@ -286,6 +289,14 @@ file system labels." device (file-system-label device))))) =20 + (define uuid-sexp->uuid + (match-lambda + (('uuid (? symbol? type) (? bytevector? bv)) + (bytevector->uuid bv type)) + (x + (warning (G_ "unrecognized uuid ~a at '~a'~%") x (port-filename por= t)) + #f))) + (match (read port) (('boot-parameters ('version 0) ('label label) ('root-device root) @@ -324,6 +335,11 @@ file system labels." (('initrd (? string? file)) file))) =20 + (crypto-devices + (match (assq 'crypto-devices rest) + ((_ device-list) (map uuid-sexp->uuid device-list)) + (#f '()))) + (store-device ;; Linux device names like "/dev/sda1" are not suitable GRUB device ;; identifiers, so we just filter them out. @@ -438,6 +454,23 @@ from the initrd." (any file-system-needed-for-boot? users))) devices))) =20 +(define (operating-system-boot-crypto-devices os) + (define (crypto-device? device) + (let ((type (mapped-device-type device))) + (eq? type luks-device-mapping))) + (define (with-uuid? device) + (if (uuid? (mapped-device-source device)) + #t + (begin + (warning (G_ "the source from mapped-device at ~a is not an UUID. +It will be ignored for the bootloader configuration.~%") + (mapped-device-location device)) + #f))) + (let* ((mapped-devices (operating-system-boot-mapped-devices os)) + (crypto-devices (filter crypto-device? mapped-devices)) + (valid-devices (filter with-uuid? crypto-devices))) + (map mapped-device-source valid-devices))) + (define (device-mapping-services os) "Return the list of device-mapping services for OS as a list." (map device-mapping-service @@ -989,6 +1022,7 @@ entry." a list of , to populate the \"old entries\" menu." (let* ((root-fs (operating-system-root-file-system os)) (root-device (file-system-device root-fs)) + (crypto-devices (operating-system-boot-crypto-devices os)) (params (operating-system-boot-parameters os root-device #:system-kernel-arguments? #t)) @@ -999,6 +1033,7 @@ a list of , to populate the \"old entries\= " menu." (bootloader-configuration-bootloader bootloader-conf))) =20 (generate-config-file bootloader-conf (list entry) + #:crypto-devices crypto-devices #:old-entries old-entries))) =20 (define* (operating-system-boot-parameters os root-device @@ -1011,6 +1046,7 @@ such as '--root' and '--load' to ." (bootloader (bootloader-configuration-bootloader (operating-system-bootloader os))) (bootloader-name (bootloader-name bootloader)) + (crypto-devices (operating-system-boot-crypto-devices os)) (label (operating-system-label os))) (boot-parameters (label label) @@ -1024,6 +1060,7 @@ such as '--root' and '--load' to ." (bootloader-name bootloader-name) (bootloader-menu-entries (bootloader-configuration-menu-entries (operating-system-bootloader = os))) + (crypto-devices crypto-devices) (store-device (ensure-not-/dev (file-system-device store))) (store-mount-point (file-system-mount-point store))))) =20 @@ -1070,6 +1107,9 @@ being stored into the \"parameters\" file)." (or (and=3D> (operating-system-bootloader os) bootloader-configuration-menu-entri= es) '()))) + (crypto-devices + #$(map device->sexp + (boot-parameters-crypto-devices params))) (store (device #$(device->sexp (boot-parameters-store-device params= ))) diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index 27b014db68..95cffec52d 100644 --- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -392,12 +392,14 @@ STORE is an open connection to the store." %system-profile old-generations)) (entries (cons (boot-parameters->menu-entry params) (boot-parameters-bootloader-menu-entries params))) + (crypto-devices (boot-parameters-crypto-devices params)) (old-entries (map boot-parameters->menu-entry old-params))) (run-with-store store (mlet* %store-monad ((bootcfg (lower-object ((bootloader-configuration-file-generator bootloader) bootloader-config entries + #:crypto-devices crypto-devices #:old-entries old-entries))) (drvs -> (list bootcfg))) (mbegin %store-monad --=20 2.23.0 --MP_/OitJnvsaZ7SGEN.b_swZiR3-- From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 01 08:12:09 2019 Received: (at control) by debbugs.gnu.org; 1 Nov 2019 12:12:09 +0000 Received: from localhost ([127.0.0.1]:55120 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQVmj-0007EK-BP for submit@debbugs.gnu.org; Fri, 01 Nov 2019 08:12:09 -0400 Received: from mail-wr1-f45.google.com ([209.85.221.45]:41098) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQVmh-0007Du-Ba for control@debbugs.gnu.org; Fri, 01 Nov 2019 08:12:08 -0400 Received: by mail-wr1-f45.google.com with SMTP id p4so9451884wrm.8 for ; Fri, 01 Nov 2019 05:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:message-id:to:subject; bh=pNOHL8t8yflwLF1apuqzmx2dAxbS3nE3UxuQllmArlE=; b=QQUyW/joOu4mxuMyYkUbHFSoWAmDFzw91vcOrrekAt1/ju2xyxwsvKh7BIKcTx9Hgs NZLNvqZofBxg+rjCK4Q7sFnvZE3jY6RGixJTqQzrqZ21DPc+rRS5RLjvBFy2NPBBGJtQ e3XrGXHIiZT9EaV9YxhZyhTjzK4okaxUlNeVALNmhp7oZOpuRBTXAQamGxBVESxzdE2d XCOEMAYKN2edu/2s4wAYpksH1v2T4QR7iMtc/10xxm3P1/yk0EOZYfAVZCBXK4z0QAbk sAr+XYWlMHXegQPpBdA07UM49gqstwD+Lum+7PpjsBExK72hecmNpc6QgskSSVaYm9Hh sljg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:message-id:to:subject; bh=pNOHL8t8yflwLF1apuqzmx2dAxbS3nE3UxuQllmArlE=; b=IN4rNZRkWFtLcrknZJybQR+dBgBcSYKarrEF6JHLXelAudVegKC2GOj64PEPVFVLlo +/im7GhE9FE2Hx+7nAo4iI1CvOpYjMn6pOxayoNCduRVNSiJjd2dNAGSZoFci6Kpx+H3 VfaVsUZsk/w1TlROU6bDBkIkDCsSo96myqR0+xzNMH0obh6PEA79K/9ldVa63N8VQei8 4KCgl6+BrUjNF9Jpe9+trNnKWNNDBz/p2/vMEkg8YikBNtcLhHHnWPTmvfwIWh99PLU4 Mdw3Kg5yY8q0NzZR1MhRcVE7izNKa84c4s0Y6aiIB7cBwCxrHZa5vzGg9OTHe+wV4TUy Bi8g== X-Gm-Message-State: APjAAAUCk9RxfCuH6rlr9XSuQzGwDocwCrA7kkNVSB3ooB/zzOoMVHZv JOXNxVqg/yRpp4hMbvsEV4kKkfpUrvo= X-Google-Smtp-Source: APXvYqy4xBd7siSzyvlel1IczWN5J/VVKbcF5Lg8JGVKU2c609S0Tjpapyt1etmXWZa0WMG6RBuUHA== X-Received: by 2002:adf:dc03:: with SMTP id t3mr9833029wri.95.1572610321037; Fri, 01 Nov 2019 05:12:01 -0700 (PDT) Received: from unfall (115.201.218.87.dynamic.jazztel.es. [87.218.201.115]) by smtp.gmail.com with ESMTPSA id g14sm7622858wro.33.2019.11.01.05.12.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Nov 2019 05:12:00 -0700 (PDT) From: Miguel X-Google-Original-From: Miguel Date: Fri, 01 Nov 2019 13:11:52 +0100 Message-Id: <877e4jiynr.fsf@unfall.i-did-not-set--mail-host-address--so-tickle-me> To: control@debbugs.gnu.org Subject: control message for bug #37851 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) tags 37851 + patch quit From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 26 18:15:25 2020 Received: (at 37851) by debbugs.gnu.org; 26 Oct 2020 22:15:25 +0000 Received: from localhost ([127.0.0.1]:41831 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXAlr-00088S-Ol for submit@debbugs.gnu.org; Mon, 26 Oct 2020 18:15:25 -0400 Received: from mail-wr1-f41.google.com ([209.85.221.41]:45608) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXAlp-000888-NR; Mon, 26 Oct 2020 18:15:18 -0400 Received: by mail-wr1-f41.google.com with SMTP id e17so14659944wru.12; Mon, 26 Oct 2020 15:15:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=mUmAsr0mMABP0NVnSfWiRbH4VO1Qwi+gKL2SpgvVv78=; b=IuQcUZY52wcFnMQ5XJ0sorFY/XGOejAMPJqBz/DH4yTb1UJL28iUHGefK5fh3oxEJM WfNwGaFNoGrlFIM3Od9c41JsrENgAb0LOOsnvuFNmi1xcugwXtvZe5/0dAvwmLvlwLX8 s3idlFvizGvfyUfAgqoAUCGfV/a+an7VFhJSrYsOe6q+5+4AyU9pDSwYCkxGuIX8fHAF 8/8y90e3YVaDUoB0dAuvJm67vw4u4AuTX1z5FIFJGAmBiIhZdIPBKLBFk4ozTYlzq2YC gewcheR8eh4CTAGC5IDG/9KVL9/DyYafD5SWYiQ6DSTwwZALVsTEsMIVuTCLLGEDDdNM dD8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=mUmAsr0mMABP0NVnSfWiRbH4VO1Qwi+gKL2SpgvVv78=; b=YS+5NsQHk5Xy6dmjOwLEfvz2U13Qw1764xBcD6JQ2zHLQIEe7hrb/HIwHvFPesowIj 3RYr6vffo0NPy+r7xu2JK2L4za9gtfgf+693DCIZajbrnr/m/oHTYuLGfQevX+jDdIOM dISihLNfarJ3I8bmdgTqYEsQTeFDMRIGJPF83R7OtQZfgVKxf1PMVbPeoM3AjN5trMnX VSX1RMk3gK7r90fhk9h6BEbVLqC5/IPcMQTvWDHz6OSu3lrFl7d8Ytb2htwL6PiLdPjq SAq1HHEWrDFlSwW08SNuUX3ZbAYWvcEbP1BFYXBHQT1ZsUWeiJdKVQ1lwvzvVBd8hjlj kU0g== X-Gm-Message-State: AOAM532QuiSqvTi5V7+k50rKe9gsoWg8VwrA7XTay50r/RmapmbwcdJQ /ld/y/3YQOWccEC4/czWp/qT73pRchP9Xg== X-Google-Smtp-Source: ABdhPJyDbrFKe9ARjMAtIk3+YGyA3EdmOc4JeHpVPeTW67yCdt+VnDdAy5riiUwNa7VWw0A4v76l/g== X-Received: by 2002:a5d:4fcc:: with SMTP id h12mr21094567wrw.132.1603750511780; Mon, 26 Oct 2020 15:15:11 -0700 (PDT) Received: from unfall (218.139.134.37.dynamic.jazztel.es. [37.134.139.218]) by smtp.gmail.com with ESMTPSA id a15sm23373494wro.3.2020.10.26.15.15.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Oct 2020 15:15:10 -0700 (PDT) From: =?utf-8?Q?Miguel_=C3=81ngel_Arruga_Vivas?= To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Mathieu Othacehe Subject: Re: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> Date: Mon, 26 Oct 2020 23:15:03 +0100 In-Reply-To: <87lftc27j2.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 22 Oct 2019 16:12:49 +0200") Message-ID: <87r1pkocrc.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 37851 Cc: 25305@debbugs.gnu.org, 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Ludovic Court=C3=A8s writes: > Does that cause GRUB to mount all the LUKS partitions it was aware of at > installation time, or does it cause it to scan all the partitions in > search of a LUKS signature? > > In the latter case that wouldn=E2=80=99t be great, but in the former case= it > sounds like we could go ahead (well, with a comment above explaining > what this does. :-)). Sorry for this huuuuuuuuuge delay, but I have this patch for this. It includes a test case, even though I have been suffering a lot until I noticed that OCR was returning garbage and I was trying to be too specific, so I've left it as basic as I could. I add Mathieu to the loop to bring more eyes over it, I'm open to any suggestion. :-) Happy hacking! Miguel PS: It should apply on top of master too, but I tested it on top of some other grub.cfg fixes, I'll send a new version if there is any problem with this. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=v3-0005-system-Allow-separated-boot-and-encrypted-root.patch Content-Transfer-Encoding: quoted-printable Content-Description: 0001-system-Allow-separated-boot-and-encrypted-root.patch From=20d40f0a26afef194e7e68906ba793ca0ffac6da5f Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D Date: Sun, 25 Oct 2020 16:31:17 +0100 Subject: [PATCH v3 5/5] system: Allow separated /boot and encrypted root. * gnu/bootloader/grub.scm (grub-configuration-file): New parameter store-crypto-devices. [crypto-devices]: New helper function. [builder]: Use crypto-devices. * gnu/machine/ssh.scm (roll-back-managed-host): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * gnu/tests/install.scm (%encrypted-root-not-boot-os, %encrypted-root-not-boot-os): New os declaration. (%encrypted-root-not-boot-installation-script): New script, whose contents were initially taken from %encrypted-root-installation-script. (%test-encrypted-root-not-boot-os): New test. * gnu/system.scm (define-module): Export operating-system-bootoader-crypto-devices and boot-parameters-store-crypto-devices. (): Add field store-crypto-devices. (read-boot-parameters): Parse store-crypto-devices field. [uuid-sexp->uuid]: New helper function extracted from device-sexp->device. (operating-system-bootloader-crypto-devices): New function. (operating-system-bootcfg): Use operating-system-bootloader-crypto-devices to provide its contents to the bootloader configuration generation process. (operating-system-boot-parameters): Add store-crypto-devices to the generated boot-parameters. (operating-system-boot-parameters-file): Likewise to the file with the serialized structure. * guix/scripts/system.scm (reinstall-bootloader): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * tests/boot-parameters.scm (%default-store-crypto-devices): New variable. (%grub-boot-parameters, test-read-boot-parameters): Use %default-store-crypto-devices. (tests store-crypto-devices): New tests. =2D-- gnu/bootloader/grub.scm | 19 ++++++- gnu/machine/ssh.scm | 3 ++ gnu/system.scm | 57 ++++++++++++++++++++- gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ guix/scripts/system.scm | 2 + tests/boot-parameters.scm | 29 ++++++++++- 6 files changed, 208 insertions(+), 5 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 8636e9c690..c6e7d3fd6d 100644 =2D-- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -4,7 +4,7 @@ ;;; Copyright =C2=A9 2017 Leo Famulari ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen =2D;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Maxim Cournoyer ;;; Copyright =C2=A9 2020 Stefan ;;; @@ -361,6 +361,7 @@ code." (locale #f) (system (%current-system)) (old-entries '()) + store-crypto-devices store-directory-prefix) "Return the GRUB configuration file corresponding to CONFIG, a object, and where the store is available at @@ -413,6 +414,21 @@ menuentry ~s { (string-join (map string-join '#$modules) "\n module " 'prefix)))))) =20 + (define (crypto-devices) + (define (crypto-device->cryptomount dev) + (if (uuid? dev) + #~(format port "cryptomount -u ~a~%" + ;; cryptomount only accepts UUID without the hypen. + #$(string-delete #\- (uuid->string dev))) + ;; Other type of devices aren't implemented. + #~())) + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) + ;; XXX: Add luks2 when grub 2.06 is packaged. + (modules #~(format port "insmod luks~%"))) + (if (null? devices) + devices + (cons modules devices)))) + (define (sugar) (let* ((entry (first all-entries)) (device (menu-entry-device entry)) @@ -469,6 +485,7 @@ keymap ~a~%" #$keymap)))) "# This file was generated from your Guix configuration.= Any changes # will be lost upon reconfiguration. ") + #$@(crypto-devices) #$(sugar) #$locale-config #$keyboard-layout-config diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm index a3a12fb54b..822f401c1a 100644 =2D-- a/gnu/machine/ssh.scm +++ b/gnu/machine/ssh.scm @@ -482,6 +482,8 @@ an environment type of 'managed-host." (list (second boot-parameters)))) (locale -> (boot-parameters-locale (second boot-parameters))) + (crypto-dev -> (boot-parameters-store-crypto-devices + (second boot-parameters))) (store-dir -> (boot-parameters-store-directory-pref= ix (second boot-parameters))) (old-entries -> (map boot-parameters->menu-entry @@ -494,6 +496,7 @@ an environment type of 'managed-host." bootloader)) bootloader entries #:locale locale + #:store-crypto-devices crypto-dev #:store-directory-prefix store-dir #:old-entries old-entries))) (remote-result (machine-remote-eval machine remote-= exp))) diff --git a/gnu/system.scm b/gnu/system.scm index 30a5c418d0..3a718642cf 100644 =2D-- a/gnu/system.scm +++ b/gnu/system.scm @@ -5,7 +5,7 @@ ;;; Copyright =C2=A9 2016 Chris Marusich ;;; Copyright =C2=A9 2017 Mathieu Othacehe ;;; Copyright =C2=A9 2019 Meiyo Peng =2D;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Danny Milosavljevic ;;; Copyright =C2=A9 2020 Brice Waegeneire ;;; Copyright =C2=A9 2020 Florian Pelz @@ -112,6 +112,7 @@ operating-system-store-file-system operating-system-user-mapped-devices operating-system-boot-mapped-devices + operating-system-bootloader-crypto-devices operating-system-activation-script operating-system-user-accounts operating-system-shepherd-service-names @@ -147,6 +148,7 @@ boot-parameters-root-device boot-parameters-bootloader-name boot-parameters-bootloader-menu-entries + boot-parameters-store-crypto-devices boot-parameters-store-device boot-parameters-store-directory-prefix boot-parameters-store-mount-point @@ -301,6 +303,8 @@ directly by the user." (store-device boot-parameters-store-device) (store-mount-point boot-parameters-store-mount-point) (store-directory-prefix boot-parameters-store-directory-prefix) + (store-crypto-devices boot-parameters-store-crypto-devices + (default '())) (locale boot-parameters-locale) (kernel boot-parameters-kernel) (kernel-arguments boot-parameters-kernel-arguments) @@ -334,6 +338,13 @@ file system labels." (if (string-prefix? "/" device) device (file-system-label device)))))) + (define uuid-sexp->uuid + (match-lambda + (('uuid (? symbol? type) (? bytevector? bv)) + (bytevector->uuid bv type)) + (x + (warning (G_ "unrecognized uuid ~a at '~a'~%") x (port-filename por= t)) + #f))) =20 (match (read port) (('boot-parameters ('version 0) @@ -407,6 +418,24 @@ file system labels." ;; No store found, old format. #f))) =20 + (store-crypto-devices + (match (assq 'store rest) + (('store . store-data) + (match (assq 'crypto-devices store-data) + (('crypto-devices devices) + (if (list? devices) + (map uuid-sexp->uuid devices) + (begin + (warning (G_ "unrecognized crypto-device ~S at '~a'~%") + devices (port-filename port)) + '()))) + (_ + ;; No crypto-devices found + '()))) + (_ + ;; No store found, old format. + '()))) + (store-mount-point (match (assq 'store rest) (('store ('device _) ('mount-point mount-point) _ ...) @@ -520,6 +549,23 @@ from the initrd." (any file-system-needed-for-boot? users))) devices))) =20 +(define (operating-system-bootloader-crypto-devices os) + "Return the subset of mapped devices that the bootloader must open. +Only devices specified by uuid are supported." + (map mapped-device-source + (filter (match-lambda + ((and (=3D mapped-device-type type) + (=3D mapped-device-source source)) + (and (eq? luks-device-mapping type) + (or (uuid? source) + (begin + (warning (G_ "\ +mapped-device '~a' won't be mounted by the bootloader.~%") + source) + #f))))) + ;; XXX: Ordering is important, we trust the returned one. + (operating-system-boot-mapped-devices os)))) + (define (device-mapping-services os) "Return the list of device-mapping services for OS as a list." (map device-mapping-service @@ -1256,6 +1302,7 @@ a list of , to populate the \"old entries= \" menu." (root-fs (operating-system-root-file-system os)) (root-device (file-system-device root-fs)) (locale (operating-system-locale os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (params (operating-system-boot-parameters os root-device #:system-kernel-arguments? #t)) @@ -1269,6 +1316,7 @@ a list of , to populate the \"old entries= \" menu." (generate-config-file bootloader-conf (list entry) #:old-entries old-entries #:locale locale + #:store-crypto-devices crypto-devices #:store-directory-prefix (btrfs-store-subvolume-file-name file-systems)))) =20 @@ -1308,6 +1356,7 @@ such as '--root' and '--load' to ." (operating-system-initrd-file os))) (store (operating-system-store-file-system os)) (file-systems (operating-system-file-systems os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (locale (operating-system-locale os)) (bootloader (bootloader-configuration-bootloader (operating-system-bootloader os))) @@ -1330,6 +1379,7 @@ such as '--root' and '--load' to ." (locale locale) (store-device (ensure-not-/dev (file-system-device store))) (store-directory-prefix (btrfs-store-subvolume-file-name file-systems= )) + (store-crypto-devices crypto-devices) (store-mount-point (file-system-mount-point store))))) =20 (define (device->sexp device) @@ -1388,7 +1438,10 @@ being stored into the \"parameters\" file)." (mount-point #$(boot-parameters-store-mount-point params)) (directory-prefix =2D #$(boot-parameters-store-directory-prefix params)= ))) + #$(boot-parameters-store-directory-prefix params)) + (crypto-devices + #$(map device->sexp + (boot-parameters-store-crypto-devices params= ))))) #:set-load-path? #f))) =20 (define-gexp-compiler (operating-system-compiler (os ) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 86bd93966b..8f1668bab2 100644 =2D-- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -63,6 +63,8 @@ %test-separate-home-os %test-raid-root-os %test-encrypted-root-os + %test-encrypted-root-not-boot-os + %test-encrypted-root-and-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os %test-jfs-root-os @@ -796,6 +798,107 @@ build (current-guix) and then store a couple of full = system images.") (run-basic-test %encrypted-root-os command "encrypted-root-os" #:initialization enter-luks-passphrase))))) =20 + +;;; +;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. +;;; + +(define-os-with-source (%encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source) + ;; The OS we want to install. + (use-modules (gnu) (gnu tests) (srfi srfi-1)) + + (operating-system + (host-name "bootroot") + (timezone "Europe/Madrid") + (locale "en_US.UTF-8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vdb"))) + + (mapped-devices (list (mapped-device + (source + (uuid "12345678-1234-1234-1234-123456789abc")) + (target "root") + (type luks-device-mapping)))) + (file-systems (cons* (file-system + (device (file-system-label "my-boot")) + (mount-point "/boot") + (type "ext4")) + (file-system + (device "/dev/mapper/root") + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (users (cons (user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" "audio" "video"))) + %base-user-accounts)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %encrypted-root-not-boot-installation-script + ;; Shell script for an installation with boot not encrypted but root + ;; encrypted. + (format #f "\ +. /etc/profile +set -e -x +guix --version + +export GUIX_BUILD_OPTIONS=3D--no-grafts +ls -l /run/current-system/gc-roots +parted --script /dev/vdb mklabel gpt \\ + mkpart primary ext2 1M 3M \\ + mkpart primary ext2 3M 50M \\ + mkpart primary ext2 50M 1.6G \\ + set 1 boot on \\ + set 1 bios_grub on +echo -n \"~a\" | cryptsetup luksFormat --uuid=3D\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root +mkfs.ext4 -L my-root /dev/mapper/root +mkfs.ext4 -L my-boot /dev/vdb2 +mount LABEL=3Dmy-root /mnt +mkdir /mnt/boot +mount LABEL=3Dmy-boot /mnt/boot +echo \"Checking mounts\" +mount +herd start cow-store /mnt +mkdir /mnt/etc +cp /etc/target-config.scm /mnt/etc/config.scm +guix system build /mnt/etc/config.scm +guix system init /mnt/etc/config.scm /mnt --no-substitutes +sync +echo \"Debugging info\" +blkid +cat /mnt/boot/grub/grub.cfg +reboot\n" + %luks-passphrase "12345678-1234-1234-1234-123456789abc" + %luks-passphrase)) + +(define %test-encrypted-root-not-boot-os + (system-test + (name "encrypted-root-not-boot-os") + (description + "Test the manual installation on an OS with / in an encrypted partition +but /boot on a different, non-encrypted partition. This test is expensive= in +terms of CPU and storage usage since we need to build (current-guix) and t= hen +store a couple of full system images.") + (value + (mlet* %store-monad + ((image (run-install %encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source + #:script + %encrypted-root-not-boot-installation-script)) + (command (qemu-command/writable-image image))) + (run-basic-test %encrypted-root-not-boot-os command + "encrypted-root-not-boot-os" + #:initialization enter-luks-passphrase))))) + ;;; ;;; Btrfs root file system. diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index ad998156c2..02cf2a12a2 100644 =2D-- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -385,6 +385,7 @@ STORE is an open connection to the store." (params (first (profile-boot-parameters %system-profile (list number)))) (locale (boot-parameters-locale params)) + (store-crypto-devices (boot-parameters-store-crypto-devices param= s)) (store-directory-prefix (boot-parameters-store-directory-prefix params)) (old-generations @@ -400,6 +401,7 @@ STORE is an open connection to the store." ((bootloader-configuration-file-generator bootloader) bootloader-config entries #:locale locale + #:store-crypto-devices store-crypto-devices #:store-directory-prefix store-directory-prefix #:old-entries old-entries))) (drvs -> (list bootcfg))) diff --git a/tests/boot-parameters.scm b/tests/boot-parameters.scm index a00b227551..c26ac83b7b 100644 =2D-- a/tests/boot-parameters.scm +++ b/tests/boot-parameters.scm @@ -50,6 +50,8 @@ (define %default-store-directory-prefix (string-append "/" %default-btrfs-subvolume)) (define %default-store-mount-point (%store-prefix)) +(define %default-store-crypto-devices + (list (uuid "00000000-1111-2222-3333-444444444444"))) (define %default-multiboot-modules '()) (define %default-locale "es_ES.utf8") (define %root-path "/") @@ -67,6 +69,7 @@ (locale %default-locale) (store-device %default-store-device) (store-directory-prefix %default-store-directory-prefix) + (store-crypto-devices %default-store-crypto-devices) (store-mount-point %default-store-mount-point))) =20 (define %default-operating-system @@ -110,6 +113,8 @@ (with-store #t) (store-device (quote-uuid %default-store-device)) + (store-crypto-devices + (map quote-uuid %default-store-crypto-devices)) (store-directory-prefix %default-store-directory-prefix) (store-mount-point %default-store-mount-point)) (define (generate-boot-parameters) @@ -125,12 +130,14 @@ (sexp-or-nothing " (kernel-arguments ~S)" kernel-arguments) (sexp-or-nothing " (initrd ~S)" initrd) (if with-store =2D (format #false " (store~a~a~a)" + (format #false " (store~a~a~a~a)" (sexp-or-nothing " (device ~S)" store-device) (sexp-or-nothing " (mount-point ~S)" store-mount-point) (sexp-or-nothing " (directory-prefix ~S)" =2D store-directory-prefix)) + store-directory-prefix) + (sexp-or-nothing " (crypto-devices ~S)" + store-crypto-devices)) "") (sexp-or-nothing " (locale ~S)" locale) (sexp-or-nothing " (bootloader-name ~a)" bootloader-name) @@ -159,6 +166,7 @@ (test-read-boot-parameters #:store-device #false) (test-read-boot-parameters #:store-device 'false) (test-read-boot-parameters #:store-mount-point #false) + (test-read-boot-parameters #:store-crypto-devices #false) (test-read-boot-parameters #:store-directory-prefix #false) (test-read-boot-parameters #:multiboot-modules #false) (test-read-boot-parameters #:locale #false) @@ -254,6 +262,23 @@ (boot-parameters-store-mount-point (test-read-boot-parameters #:with-store #false))) =20 +(test-equal "read, store-crypto-devices, default" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices #false))) + +;; XXX: +(test-equal "read, store-crypto-devices, false" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices 'false))) + +;; XXX: +(test-equal "read, store-crypto-devices, string" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices "bad"))) + ;; For whitebox testing (define operating-system-boot-parameters (@@ (gnu system) operating-system-boot-parameters)) =2D-=20 2.28.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEiIeExBRZrMuD5+hMY0xuiXn6vsIFAl+XSmgACgkQY0xuiXn6 vsIcgwwAp0YDr07LjQ18+N7PGH2bgqNRSIDXPeEGknfjrPu2naRdXhGeB97JNRkD JGO9jp50e4aiRbxjL+Zjw2VDIsKoSTH73rNwSgPTDKHbaadDOhF2LypR8NpnRdGP HB4o0uIeb09eXpqYxuFA4586nO4q151DxA528G9v+3AePDGUhuc2EgOhp8Rl8Bec T8twYFomXrIF8uBguycXsyTvFEVSBdZFIaLds7wK8N64Cm29Erl8MIc3seL7KS3Y fdLxTgCUF4FRGN+EHNFYzfa/nm86RGLin1AS+ZLmwZL20mV4KJmEfP+mOwSWuKHy x2eHczFDos+N7Po/2Ei6xx/RYEuE/QaTYqbOGtoKKWxnO0d+9qeePOqnf0n9u1C7 rn6iEPSwvtlPmo0NLEaDcuDd3/3c5EFjLEhWg7YgEq0Ea3XsiGpo3qvNLeRM3J0Y VnOrSh0UkHdi60dFXKKvMyYlVeyR5qZrH7Oryy7Cx44auGiibhucxwA3SZRNaWUm rvVOLi57 =/zYW -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 28 17:42:39 2020 Received: (at 37851) by debbugs.gnu.org; 28 Oct 2020 21:42:39 +0000 Received: from localhost ([127.0.0.1]:50960 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXtDG-0001v3-Bt for submit@debbugs.gnu.org; Wed, 28 Oct 2020 17:42:39 -0400 Received: from mail-wm1-f50.google.com ([209.85.128.50]:33494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kXtDD-0001uc-6q; Wed, 28 Oct 2020 17:42:32 -0400 Received: by mail-wm1-f50.google.com with SMTP id l20so602515wme.0; Wed, 28 Oct 2020 14:42:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=3LBHOtT4urj2URf+oxObRUmOF+inqmhpE/CBfVCRMTM=; b=iA6KVZYKbAFUu9pJqKWIXwFONU63x3neP2hsvg1zh/ygP1klt89DbSadsOtma6tXR8 AM4b/ss5tAZQ1ratRWFO7OxFFOLfRdbrWBiCVl65zniiDY2JjvIpaM6+DFlwJRbnP7ee MiyCFf2MIwugnOIx3JpruJ+KM/sAruGY8ZvvR8u3k6sWdWlhV4A1eAXBhO5nP68yfaVk KWQ4/U4QxOaw5vuacxxF0GbwCg+zlr/hpA1egtA7++aXqitnDAhG/9yjq6Xfidglif3b pjPvCj8brvqbcbZSSLFtMIvsd1h8F95xq412Tphk16AARKHcI8W0GzCeWXRbPt2jS+Wj W+Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=3LBHOtT4urj2URf+oxObRUmOF+inqmhpE/CBfVCRMTM=; b=QHTgZ6j6YEU3qe4n8A1H/fVQWND8nsgGXRU2JSd/j2n9DQe6oCq62s7qMC5mq4BezH R5fOM7ksPyPZT04cq+s2yptcqirxyREcThUg5ykpisoG1Eu5qHP7D5JNEYTKxsxrnE6Z USBobe7m4W+M+9bq2GK3jBJpJwShhV7HXhAZskGSvIFyZhPumjMobdDbfHA+TMuvMAa8 myFUptOohB4mWYiPfrEQbf0y/KlOgTqsA5MkEcZB34PjUR0mLob8fEcj/ImjTiB5p2NW ca3vuPsUaG+0ge+I+4+4N+rpqBftnEH25/UiB1WjMsuEBoWZj1tZp7h1f2eG1l5pVeRk HQ7w== X-Gm-Message-State: AOAM530hnS8/MACNAh97vQ8xVzh/9vXmg63lkS+sqndLYHnIc6FEL3AO hNaubQfINRNdXKtj2VUcosYaHdve8kblww== X-Google-Smtp-Source: ABdhPJyP5qD3U3geq88AJ+cVHm1O2D4zpWh2oKTOzVW8N87lDcCfEYnK/DZp2MoWgYlUj6dg5uca6g== X-Received: by 2002:a05:600c:2888:: with SMTP id g8mr881301wmd.130.1603921341992; Wed, 28 Oct 2020 14:42:21 -0700 (PDT) Received: from unfall (218.139.134.37.dynamic.jazztel.es. [37.134.139.218]) by smtp.gmail.com with ESMTPSA id z4sm1228199wrg.53.2020.10.28.14.42.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Oct 2020 14:42:20 -0700 (PDT) From: =?utf-8?Q?Miguel_=C3=81ngel_Arruga_Vivas?= To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> Date: Wed, 28 Oct 2020 22:42:19 +0100 In-Reply-To: <87r1pkocrc.fsf@gmail.com> ("Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Mon, 26 Oct 2020 23:15:03 +0100") Message-ID: <87ft5ym3ic.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 37851 Cc: 25305@debbugs.gnu.org, Mathieu Othacehe , 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain In this v2 I've fixed two flaws I saw in the previous patch: the parameter store-crypto-devices now has the empty list as default value, and now the function documents for the parameter too. Happy hacking! Miguel --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=v4-0005-system-Allow-separated-boot-and-encrypted-root.patch Content-Transfer-Encoding: quoted-printable Content-Description: 0001-system-Allow-separated-/boot-and-encrypted-root.patch >From 52993db19da43699ea96ea16ebb051b9652934f9 Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D Date: Sun, 25 Oct 2020 16:31:17 +0100 Subject: [PATCH v4 5/5] system: Allow separated /boot and encrypted root. * gnu/bootloader/grub.scm (grub-configuration-file): New parameter store-crypto-devices. [crypto-devices]: New helper function. [builder]: Use crypto-devices. * gnu/machine/ssh.scm (roll-back-managed-host): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * gnu/tests/install.scm (%encrypted-root-not-boot-os, %encrypted-root-not-boot-os): New os declaration. (%encrypted-root-not-boot-installation-script): New script, whose contents were initially taken from %encrypted-root-installation-script. (%test-encrypted-root-not-boot-os): New test. * gnu/system.scm (define-module): Export operating-system-bootoader-crypto-devices and boot-parameters-store-crypto-devices. (): Add field store-crypto-devices. (read-boot-parameters): Parse store-crypto-devices field. [uuid-sexp->uuid]: New helper function extracted from device-sexp->device. (operating-system-bootloader-crypto-devices): New function. (operating-system-bootcfg): Use operating-system-bootloader-crypto-devices to provide its contents to the bootloader configuration generation process. (operating-system-boot-parameters): Add store-crypto-devices to the generated boot-parameters. (operating-system-boot-parameters-file): Likewise to the file with the serialized structure. * guix/scripts/system.scm (reinstall-bootloader): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * tests/boot-parameters.scm (%default-store-crypto-devices): New variable. (%grub-boot-parameters, test-read-boot-parameters): Use %default-store-crypto-devices. (tests store-crypto-devices): New tests. --- gnu/bootloader/grub.scm | 21 +++++++- gnu/machine/ssh.scm | 3 ++ gnu/system.scm | 57 ++++++++++++++++++++- gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ guix/scripts/system.scm | 2 + tests/boot-parameters.scm | 29 ++++++++++- 6 files changed, 210 insertions(+), 5 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index e5fc3470a9..40ea4fbaf7 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -4,7 +4,7 @@ ;;; Copyright =C2=A9 2017 Leo Famulari ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Maxim Cournoyer ;;; Copyright =C2=A9 2020 Stefan ;;; @@ -360,11 +360,14 @@ code." (locale #f) (system (%current-system)) (old-entries '()) + (store-crypto-devices '()) store-directory-prefix) "Return the GRUB configuration file corresponding to CONFIG, a object, and where the store is available at STORE-FS, a object. OLD-ENTRIES is taken to be a list of me= nu entries corresponding to old generations of the system. +STORE-CRYPTO-DEVICES contain the UUIDs of the encrypted units that must +be unlocked to access the store contents. STORE-DIRECTORY-PREFIX may be used to specify a store prefix, as is requir= ed when booting a root file system on a Btrfs subvolume." (define all-entries @@ -412,6 +415,21 @@ menuentry ~s { (string-join (map string-join '#$modules) "\n module " 'prefix)))))) =20 + (define (crypto-devices) + (define (crypto-device->cryptomount dev) + (if (uuid? dev) + #~(format port "cryptomount -u ~a~%" + ;; cryptomount only accepts UUID without the hypen. + #$(string-delete #\- (uuid->string dev))) + ;; Other type of devices aren't implemented. + #~())) + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) + ;; XXX: Add luks2 when grub 2.06 is packaged. + (modules #~(format port "insmod luks~%"))) + (if (null? devices) + devices + (cons modules devices)))) + (define (sugar) (let* ((entry (first all-entries)) (device (menu-entry-device entry)) @@ -468,6 +486,7 @@ keymap ~a~%" #$keymap)))) "# This file was generated from your Guix configuration.= Any changes # will be lost upon reconfiguration. ") + #$@(crypto-devices) #$(sugar) #$locale-config #$keyboard-layout-config diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm index a3a12fb54b..822f401c1a 100644 --- a/gnu/machine/ssh.scm +++ b/gnu/machine/ssh.scm @@ -482,6 +482,8 @@ an environment type of 'managed-host." (list (second boot-parameters)))) (locale -> (boot-parameters-locale (second boot-parameters))) + (crypto-dev -> (boot-parameters-store-crypto-devices + (second boot-parameters))) (store-dir -> (boot-parameters-store-directory-pref= ix (second boot-parameters))) (old-entries -> (map boot-parameters->menu-entry @@ -494,6 +496,7 @@ an environment type of 'managed-host." bootloader)) bootloader entries #:locale locale + #:store-crypto-devices crypto-dev #:store-directory-prefix store-dir #:old-entries old-entries))) (remote-result (machine-remote-eval machine remote-= exp))) diff --git a/gnu/system.scm b/gnu/system.scm index 30a5c418d0..3a718642cf 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -5,7 +5,7 @@ ;;; Copyright =C2=A9 2016 Chris Marusich ;;; Copyright =C2=A9 2017 Mathieu Othacehe ;;; Copyright =C2=A9 2019 Meiyo Peng -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas ;;; Copyright =C2=A9 2020 Danny Milosavljevic ;;; Copyright =C2=A9 2020 Brice Waegeneire ;;; Copyright =C2=A9 2020 Florian Pelz @@ -112,6 +112,7 @@ operating-system-store-file-system operating-system-user-mapped-devices operating-system-boot-mapped-devices + operating-system-bootloader-crypto-devices operating-system-activation-script operating-system-user-accounts operating-system-shepherd-service-names @@ -147,6 +148,7 @@ boot-parameters-root-device boot-parameters-bootloader-name boot-parameters-bootloader-menu-entries + boot-parameters-store-crypto-devices boot-parameters-store-device boot-parameters-store-directory-prefix boot-parameters-store-mount-point @@ -301,6 +303,8 @@ directly by the user." (store-device boot-parameters-store-device) (store-mount-point boot-parameters-store-mount-point) (store-directory-prefix boot-parameters-store-directory-prefix) + (store-crypto-devices boot-parameters-store-crypto-devices + (default '())) (locale boot-parameters-locale) (kernel boot-parameters-kernel) (kernel-arguments boot-parameters-kernel-arguments) @@ -334,6 +338,13 @@ file system labels." (if (string-prefix? "/" device) device (file-system-label device)))))) + (define uuid-sexp->uuid + (match-lambda + (('uuid (? symbol? type) (? bytevector? bv)) + (bytevector->uuid bv type)) + (x + (warning (G_ "unrecognized uuid ~a at '~a'~%") x (port-filename por= t)) + #f))) =20 (match (read port) (('boot-parameters ('version 0) @@ -407,6 +418,24 @@ file system labels." ;; No store found, old format. #f))) =20 + (store-crypto-devices + (match (assq 'store rest) + (('store . store-data) + (match (assq 'crypto-devices store-data) + (('crypto-devices devices) + (if (list? devices) + (map uuid-sexp->uuid devices) + (begin + (warning (G_ "unrecognized crypto-device ~S at '~a'~%") + devices (port-filename port)) + '()))) + (_ + ;; No crypto-devices found + '()))) + (_ + ;; No store found, old format. + '()))) + (store-mount-point (match (assq 'store rest) (('store ('device _) ('mount-point mount-point) _ ...) @@ -520,6 +549,23 @@ from the initrd." (any file-system-needed-for-boot? users))) devices))) =20 +(define (operating-system-bootloader-crypto-devices os) + "Return the subset of mapped devices that the bootloader must open. +Only devices specified by uuid are supported." + (map mapped-device-source + (filter (match-lambda + ((and (=3D mapped-device-type type) + (=3D mapped-device-source source)) + (and (eq? luks-device-mapping type) + (or (uuid? source) + (begin + (warning (G_ "\ +mapped-device '~a' won't be mounted by the bootloader.~%") + source) + #f))))) + ;; XXX: Ordering is important, we trust the returned one. + (operating-system-boot-mapped-devices os)))) + (define (device-mapping-services os) "Return the list of device-mapping services for OS as a list." (map device-mapping-service @@ -1256,6 +1302,7 @@ a list of , to populate the \"old entries= \" menu." (root-fs (operating-system-root-file-system os)) (root-device (file-system-device root-fs)) (locale (operating-system-locale os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (params (operating-system-boot-parameters os root-device #:system-kernel-arguments? #t)) @@ -1269,6 +1316,7 @@ a list of , to populate the \"old entries= \" menu." (generate-config-file bootloader-conf (list entry) #:old-entries old-entries #:locale locale + #:store-crypto-devices crypto-devices #:store-directory-prefix (btrfs-store-subvolume-file-name file-systems)))) =20 @@ -1308,6 +1356,7 @@ such as '--root' and '--load' to ." (operating-system-initrd-file os))) (store (operating-system-store-file-system os)) (file-systems (operating-system-file-systems os)) + (crypto-devices (operating-system-bootloader-crypto-devices os)) (locale (operating-system-locale os)) (bootloader (bootloader-configuration-bootloader (operating-system-bootloader os))) @@ -1330,6 +1379,7 @@ such as '--root' and '--load' to ." (locale locale) (store-device (ensure-not-/dev (file-system-device store))) (store-directory-prefix (btrfs-store-subvolume-file-name file-systems= )) + (store-crypto-devices crypto-devices) (store-mount-point (file-system-mount-point store))))) =20 (define (device->sexp device) @@ -1388,7 +1438,10 @@ being stored into the \"parameters\" file)." (mount-point #$(boot-parameters-store-mount-point params)) (directory-prefix - #$(boot-parameters-store-directory-prefix params)))) + #$(boot-parameters-store-directory-prefix params)) + (crypto-devices + #$(map device->sexp + (boot-parameters-store-crypto-devices params= ))))) #:set-load-path? #f))) =20 (define-gexp-compiler (operating-system-compiler (os ) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 86bd93966b..8f1668bab2 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -63,6 +63,8 @@ %test-separate-home-os %test-raid-root-os %test-encrypted-root-os + %test-encrypted-root-not-boot-os + %test-encrypted-root-and-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os %test-jfs-root-os @@ -796,6 +798,107 @@ build (current-guix) and then store a couple of full = system images.") (run-basic-test %encrypted-root-os command "encrypted-root-os" #:initialization enter-luks-passphrase))))) =20 + +;;; +;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. +;;; + +(define-os-with-source (%encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source) + ;; The OS we want to install. + (use-modules (gnu) (gnu tests) (srfi srfi-1)) + + (operating-system + (host-name "bootroot") + (timezone "Europe/Madrid") + (locale "en_US.UTF-8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vdb"))) + + (mapped-devices (list (mapped-device + (source + (uuid "12345678-1234-1234-1234-123456789abc")) + (target "root") + (type luks-device-mapping)))) + (file-systems (cons* (file-system + (device (file-system-label "my-boot")) + (mount-point "/boot") + (type "ext4")) + (file-system + (device "/dev/mapper/root") + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (users (cons (user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" "audio" "video"))) + %base-user-accounts)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %encrypted-root-not-boot-installation-script + ;; Shell script for an installation with boot not encrypted but root + ;; encrypted. + (format #f "\ +. /etc/profile +set -e -x +guix --version + +export GUIX_BUILD_OPTIONS=3D--no-grafts +ls -l /run/current-system/gc-roots +parted --script /dev/vdb mklabel gpt \\ + mkpart primary ext2 1M 3M \\ + mkpart primary ext2 3M 50M \\ + mkpart primary ext2 50M 1.6G \\ + set 1 boot on \\ + set 1 bios_grub on +echo -n \"~a\" | cryptsetup luksFormat --uuid=3D\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root +mkfs.ext4 -L my-root /dev/mapper/root +mkfs.ext4 -L my-boot /dev/vdb2 +mount LABEL=3Dmy-root /mnt +mkdir /mnt/boot +mount LABEL=3Dmy-boot /mnt/boot +echo \"Checking mounts\" +mount +herd start cow-store /mnt +mkdir /mnt/etc +cp /etc/target-config.scm /mnt/etc/config.scm +guix system build /mnt/etc/config.scm +guix system init /mnt/etc/config.scm /mnt --no-substitutes +sync +echo \"Debugging info\" +blkid +cat /mnt/boot/grub/grub.cfg +reboot\n" + %luks-passphrase "12345678-1234-1234-1234-123456789abc" + %luks-passphrase)) + +(define %test-encrypted-root-not-boot-os + (system-test + (name "encrypted-root-not-boot-os") + (description + "Test the manual installation on an OS with / in an encrypted partition +but /boot on a different, non-encrypted partition. This test is expensive= in +terms of CPU and storage usage since we need to build (current-guix) and t= hen +store a couple of full system images.") + (value + (mlet* %store-monad + ((image (run-install %encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source + #:script + %encrypted-root-not-boot-installation-script)) + (command (qemu-command/writable-image image))) + (run-basic-test %encrypted-root-not-boot-os command + "encrypted-root-not-boot-os" + #:initialization enter-luks-passphrase))))) + ;;; ;;; Btrfs root file system. diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index ad998156c2..02cf2a12a2 100644 --- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -385,6 +385,7 @@ STORE is an open connection to the store." (params (first (profile-boot-parameters %system-profile (list number)))) (locale (boot-parameters-locale params)) + (store-crypto-devices (boot-parameters-store-crypto-devices param= s)) (store-directory-prefix (boot-parameters-store-directory-prefix params)) (old-generations @@ -400,6 +401,7 @@ STORE is an open connection to the store." ((bootloader-configuration-file-generator bootloader) bootloader-config entries #:locale locale + #:store-crypto-devices store-crypto-devices #:store-directory-prefix store-directory-prefix #:old-entries old-entries))) (drvs -> (list bootcfg))) diff --git a/tests/boot-parameters.scm b/tests/boot-parameters.scm index a00b227551..c26ac83b7b 100644 --- a/tests/boot-parameters.scm +++ b/tests/boot-parameters.scm @@ -50,6 +50,8 @@ (define %default-store-directory-prefix (string-append "/" %default-btrfs-subvolume)) (define %default-store-mount-point (%store-prefix)) +(define %default-store-crypto-devices + (list (uuid "00000000-1111-2222-3333-444444444444"))) (define %default-multiboot-modules '()) (define %default-locale "es_ES.utf8") (define %root-path "/") @@ -67,6 +69,7 @@ (locale %default-locale) (store-device %default-store-device) (store-directory-prefix %default-store-directory-prefix) + (store-crypto-devices %default-store-crypto-devices) (store-mount-point %default-store-mount-point))) =20 (define %default-operating-system @@ -110,6 +113,8 @@ (with-store #t) (store-device (quote-uuid %default-store-device)) + (store-crypto-devices + (map quote-uuid %default-store-crypto-devices)) (store-directory-prefix %default-store-directory-prefix) (store-mount-point %default-store-mount-point)) (define (generate-boot-parameters) @@ -125,12 +130,14 @@ (sexp-or-nothing " (kernel-arguments ~S)" kernel-arguments) (sexp-or-nothing " (initrd ~S)" initrd) (if with-store - (format #false " (store~a~a~a)" + (format #false " (store~a~a~a~a)" (sexp-or-nothing " (device ~S)" store-device) (sexp-or-nothing " (mount-point ~S)" store-mount-point) (sexp-or-nothing " (directory-prefix ~S)" - store-directory-prefix)) + store-directory-prefix) + (sexp-or-nothing " (crypto-devices ~S)" + store-crypto-devices)) "") (sexp-or-nothing " (locale ~S)" locale) (sexp-or-nothing " (bootloader-name ~a)" bootloader-name) @@ -159,6 +166,7 @@ (test-read-boot-parameters #:store-device #false) (test-read-boot-parameters #:store-device 'false) (test-read-boot-parameters #:store-mount-point #false) + (test-read-boot-parameters #:store-crypto-devices #false) (test-read-boot-parameters #:store-directory-prefix #false) (test-read-boot-parameters #:multiboot-modules #false) (test-read-boot-parameters #:locale #false) @@ -254,6 +262,23 @@ (boot-parameters-store-mount-point (test-read-boot-parameters #:with-store #false))) =20 +(test-equal "read, store-crypto-devices, default" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices #false))) + +;; XXX: +(test-equal "read, store-crypto-devices, false" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices 'false))) + +;; XXX: +(test-equal "read, store-crypto-devices, string" + '() + (boot-parameters-store-crypto-devices + (test-read-boot-parameters #:store-crypto-devices "bad"))) + ;; For whitebox testing (define operating-system-boot-parameters (@@ (gnu system) operating-system-boot-parameters)) --=20 2.28.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 14 08:11:47 2020 Received: (at 37851) by debbugs.gnu.org; 14 Dec 2020 13:11:47 +0000 Received: from localhost ([127.0.0.1]:51549 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kondj-0005G4-2T for submit@debbugs.gnu.org; Mon, 14 Dec 2020 08:11:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kondh-0005Fp-LG; Mon, 14 Dec 2020 08:11:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51901) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kondc-0005nv-Ff; Mon, 14 Dec 2020 08:11:40 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40338 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kondb-0007ym-Fg; Mon, 14 Dec 2020 08:11:39 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas Subject: Re: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> Date: Mon, 14 Dec 2020 14:11:37 +0100 In-Reply-To: <87ft5ym3ic.fsf@gmail.com> ("Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Wed, 28 Oct 2020 22:42:19 +0100") Message-ID: <87k0tksfau.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37851 Cc: 25305@debbugs.gnu.org, Mathieu Othacehe , 37851@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Miguel, Miguel =C3=81ngel Arruga Vivas skribis: >>>From 52993db19da43699ea96ea16ebb051b9652934f9 Mon Sep 17 00:00:00 2001 > From: =3D?UTF-8?q?Miguel=3D20=3DC3=3D81ngel=3D20Arruga=3D20Vivas?=3D > > Date: Sun, 25 Oct 2020 16:31:17 +0100 > Subject: [PATCH v4 5/5] system: Allow separated /boot and encrypted root. > > * gnu/bootloader/grub.scm (grub-configuration-file): New parameter > store-crypto-devices. > [crypto-devices]: New helper function. > [builder]: Use crypto-devices. > * gnu/machine/ssh.scm (roll-back-managed-host): Use > boot-parameters-store-crypto-devices to provide its contents to the > bootloader configuration generation process. > * gnu/tests/install.scm (%encrypted-root-not-boot-os, > %encrypted-root-not-boot-os): New os declaration. > (%encrypted-root-not-boot-installation-script): New script, whose contents > were initially taken from %encrypted-root-installation-script. > (%test-encrypted-root-not-boot-os): New test. > * gnu/system.scm (define-module): Export > operating-system-bootoader-crypto-devices and > boot-parameters-store-crypto-devices. > (): Add field store-crypto-devices. > (read-boot-parameters): Parse store-crypto-devices field. > [uuid-sexp->uuid]: New helper function extracted from > device-sexp->device. > (operating-system-bootloader-crypto-devices): New function. > (operating-system-bootcfg): Use > operating-system-bootloader-crypto-devices to provide its contents to > the bootloader configuration generation process. > (operating-system-boot-parameters): Add store-crypto-devices to the > generated boot-parameters. > (operating-system-boot-parameters-file): Likewise to the file with > the serialized structure. > * guix/scripts/system.scm (reinstall-bootloader): Use > boot-parameters-store-crypto-devices to provide its contents to the > bootloader configuration generation process. > * tests/boot-parameters.scm (%default-store-crypto-devices): New > variable. > (%grub-boot-parameters, test-read-boot-parameters): Use > %default-store-crypto-devices. > (tests store-crypto-devices): New tests. > --- > gnu/bootloader/grub.scm | 21 +++++++- > gnu/machine/ssh.scm | 3 ++ > gnu/system.scm | 57 ++++++++++++++++++++- > gnu/tests/install.scm | 103 ++++++++++++++++++++++++++++++++++++++ > guix/scripts/system.scm | 2 + > tests/boot-parameters.scm | 29 ++++++++++- > 6 files changed, 210 insertions(+), 5 deletions(-) Woohoo! > --- a/gnu/bootloader/grub.scm > +++ b/gnu/bootloader/grub.scm > @@ -4,7 +4,7 @@ > ;;; Copyright =C2=A9 2017 Leo Famulari > ;;; Copyright =C2=A9 2017, 2020 Mathieu Othacehe > ;;; Copyright =C2=A9 2019, 2020 Jan (janneke) Nieuwenhuizen > -;;; Copyright =C2=A9 2019 Miguel =C3=81ngel Arruga Vivas > +;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas > ;;; Copyright =C2=A9 2020 Maxim Cournoyer > ;;; Copyright =C2=A9 2020 Stefan > ;;; > @@ -360,11 +360,14 @@ code." > (locale #f) > (system (%current-system)) > (old-entries '()) > + (store-crypto-devices '()) > store-directory-prefix) > "Return the GRUB configuration file corresponding to CONFIG, a > object, and where the store is available at > STORE-FS, a object. OLD-ENTRIES is taken to be a list of = menu > entries corresponding to old generations of the system. > +STORE-CRYPTO-DEVICES contain the UUIDs of the encrypted units that must > +be unlocked to access the store contents. > STORE-DIRECTORY-PREFIX may be used to specify a store prefix, as is requ= ired > when booting a root file system on a Btrfs subvolume." > (define all-entries > @@ -412,6 +415,21 @@ menuentry ~s { > (string-join (map string-join '#$modules) > "\n module " 'prefix)))))) >=20=20 > + (define (crypto-devices) > + (define (crypto-device->cryptomount dev) > + (if (uuid? dev) > + #~(format port "cryptomount -u ~a~%" > + ;; cryptomount only accepts UUID without the hypen. > + #$(string-delete #\- (uuid->string dev))) > + ;; Other type of devices aren't implemented. > + #~())) > + (let ((devices (map crypto-device->cryptomount store-crypto-devices)) > + ;; XXX: Add luks2 when grub 2.06 is packaged. > + (modules #~(format port "insmod luks~%"))) > + (if (null? devices) > + devices > + (cons modules devices)))) What I don=E2=80=99t get is why we=E2=80=99re able to use an encrypted root= right now without emitting =E2=80=9Ccryptomount=E2=80=9D GRUB commands? > + (store-crypto-devices > + (match (assq 'store rest) > + (('store . store-data) > + (match (assq 'crypto-devices store-data) > + (('crypto-devices devices) > + (if (list? devices) > + (map uuid-sexp->uuid devices) > + (begin > + (warning (G_ "unrecognized crypto-device ~S at '~a'~%= ") > + devices (port-filename port)) > + '()))) You could avoid =E2=80=98if=E2=80=99 by having clauses like: (('crypto-devices (devices ...)) ;; =E2=80=A6 ) (('crypto-devices _) (warning =E2=80=A6) '()) (_ '()) > + (_ > + ;; No crypto-devices found > + '()))) > + (_ > + ;; No store found, old format. > + '()))) s/No store found/No crypto devices found/ ? > +(define (operating-system-bootloader-crypto-devices os) > + "Return the subset of mapped devices that the bootloader must open. > +Only devices specified by uuid are supported." > + (map mapped-device-source > + (filter (match-lambda > + ((and (=3D mapped-device-type type) > + (=3D mapped-device-source source)) > + (and (eq? luks-device-mapping type) > + (or (uuid? source) > + (begin > + (warning (G_ "\ > +mapped-device '~a' won't be mounted by the bootloader.~%") > + source) > + #f))))) > + ;; XXX: Ordering is important, we trust the returned one. > + (operating-system-boot-mapped-devices os)))) You can use =E2=80=98filter-map=E2=80=99 here. The rest LGTM! Make sure the =E2=80=9Cinstalled-os=E2=80=9D and =E2=80=9Ce= ncrypted-root-os=E2=80=9D system tests are still fine, and if they are, I guess you can go ahead. Thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 21 15:23:47 2020 Received: (at 37851-done) by debbugs.gnu.org; 21 Dec 2020 20:23:47 +0000 Received: from localhost ([127.0.0.1]:48356 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krRid-0003gV-0W for submit@debbugs.gnu.org; Mon, 21 Dec 2020 15:23:47 -0500 Received: from mail-wr1-f47.google.com ([209.85.221.47]:37226) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krRic-0003gG-5K; Mon, 21 Dec 2020 15:23:46 -0500 Received: by mail-wr1-f47.google.com with SMTP id i9so12418651wrc.4; Mon, 21 Dec 2020 12:23:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=QmRmRHDQDwoqQTiRARizkcIvve6sHhuASkndbXJes10=; b=DmRi8K63KiF03IF4uxMsLMMWh+RGB7U4Sil9tZ787+IOMUTWfV5O2obvaiXn8V0wLv UmY88fRUd7YdLvEdw3yGsUNESQbwzQuTDSegEZKupaLn7/+yodaf4XUckvP2uDElMuCo jWrjecMAsLgk95Vsy8ev1hgDyhou7wclHUvw6jcPIShuTfYeqG8LmYunLEUVGHZKD4+z wYDj77HWsUbiWWVo3p4ryaHrgO7Sxj7ePplfJhWwNePl4i2y/gJsC+QLd0ANZGoN3Gbg Ze2b99RJJIN/zt4Y0VymKHsNXvtx0xQtOQIa+EKah1axSvObdGKIvi1aI1mIxBV2k+Ck acKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=QmRmRHDQDwoqQTiRARizkcIvve6sHhuASkndbXJes10=; b=UGlI1dbYiOPnLdYGcX5Z6C4OujrCTIHH+xbg04/tC8B4+RVbXqTx/g7/tHrViHyX5/ RG/tA/xo/Z5kkk1WqfLqyilRcFu1bDdoNMnqMwoVRlr7NrBdWeq8xtuV6htcn9CIg13G IBR0tY3AxIfP59YGbjnIw6MXzjJX4kHIPOCyL8llCPa6YpFKQr4z8a1VldG00iRCOxrC DZpl0edeDAcUV7T8LqFB7jf63yD8L2O7MWeYiqJUCI1fP/NdmNoar7yP7RvbE1au6X/H VmvY9idJvBMxQuu77ZurUYHWjCxTf8/0LEd3U5aYTbMGP0KA7EffkzdsJDLxiaTGJ/0b wOFA== X-Gm-Message-State: AOAM5324QqBja+IDyLvycwDT7BwIMlSzQzBs3AhqT4pUWhZZBD2OdSV1 pHpZdudvcs0lsriYOfZLRbla7fQgVEc= X-Google-Smtp-Source: ABdhPJyfwapYtZbXywZ+0SvYWI3Qacthm49dcKI4QjhJQPqzGiHL1nhrYm1J4AG4v3u12lmRmwV0Bg== X-Received: by 2002:adf:c18d:: with SMTP id x13mr20103880wre.128.1608582219824; Mon, 21 Dec 2020 12:23:39 -0800 (PST) Received: from unfall (36.193.158.146.dynamic.jazztel.es. [146.158.193.36]) by smtp.gmail.com with ESMTPSA id z15sm29876363wrv.67.2020.12.21.12.23.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 12:23:39 -0800 (PST) From: =?utf-8?Q?Miguel_=C3=81ngel_Arruga_Vivas?= To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> <87k0tksfau.fsf@gnu.org> Date: Mon, 21 Dec 2020 21:23:36 +0100 In-Reply-To: <87k0tksfau.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 14 Dec 2020 14:11:37 +0100") Message-ID: <87k0tazz5j.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 37851-done Cc: 25305-done@debbugs.gnu.org, Mathieu Othacehe , 37851-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) Hi Ludo, First of all, thanks for your review. :-) Ludovic Court=C3=A8s writes: > Hi Miguel, > > Miguel =C3=81ngel Arruga Vivas skribis: >> + (define (crypto-devices) >> + (define (crypto-device->cryptomount dev) >> + (if (uuid? dev) >> + #~(format port "cryptomount -u ~a~%" >> + ;; cryptomount only accepts UUID without the hypen. >> + #$(string-delete #\- (uuid->string dev))) >> + ;; Other type of devices aren't implemented. >> + #~())) >> + (let ((devices (map crypto-device->cryptomount store-crypto-devices= )) >> + ;; XXX: Add luks2 when grub 2.06 is packaged. >> + (modules #~(format port "insmod luks~%"))) >> + (if (null? devices) >> + devices >> + (cons modules devices)))) > > What I don=E2=80=99t get is why we=E2=80=99re able to use an encrypted ro= ot right now > without emitting =E2=80=9Ccryptomount=E2=80=9D GRUB commands? The grub boot process goes more or less like this: 1. Firmware loads the initial image. 1.1. If that image is not the final one, it contains a "pointer" to the final one, which is loaded by it; this chain can be viewed as part of the firmware loading for this purpose. 2. The image code reads an initial configuration file, which is usually generated by grub-install/grub-mkstandalone. Here Grub is placing the needed the cryptomount lines for the devices needed to mount target in order to read grub.cfg and other modules. 3. grub.cfg is read (a.k.a. normal mode) and the usual boot process follows. The first configuration file is generated automatically by grub-install, which physically scans the target location (still /boot in our case) and inserts the needed insmod and cryptomount calls. When the target and the store don't share the device, the calls leading to the store must be inserted manually into grub.cfg. It could be easier to remove completely /boot and use a directory from the store, but that leads to more writes of the image, as each reconfiguration involving a change on the devices used for the store must end up returning a different store file name too. Nonetheless, that would leave /boot untouched if anybody wants to install their version of grub there for other purposes... >> + (_ >> + ;; No crypto-devices found >> + '()))) >> + (_ >> + ;; No store found, old format. >> + '()))) > > s/No store found/No crypto devices found/ ? The first comment is reached when crypto-devices isn't found in a (boot-parameters ... (store ...) ...) form. The second one is reached when (boot-parameters ...) form doesn't even contain a tag store in it. It follows the same pattern as store-device, as the old format didn't have a store element. On the other hand, I added a period to the first sentence as it was missing. 0:) >> +(define (operating-system-bootloader-crypto-devices os) >> + "Return the subset of mapped devices that the bootloader must open. >> +Only devices specified by uuid are supported." >> + (map mapped-device-source >> + (filter (match-lambda >> + ((and (=3D mapped-device-type type) >> + (=3D mapped-device-source source)) >> + (and (eq? luks-device-mapping type) >> + (or (uuid? source) >> + (begin >> + (warning (G_ "\ >> +mapped-device '~a' won't be mounted by the bootloader.~%") >> + source) >> + #f))))) >> + ;; XXX: Ordering is important, we trust the returned one. >> + (operating-system-boot-mapped-devices os)))) > > You can use =E2=80=98filter-map=E2=80=99 here. Thanks for the pointer! I've modified a bit tests/boot-parameters.scm to be extra-sure that I was doing that change OK, as I moved the or to a internal function for readability too. > The rest LGTM! Make sure the =E2=80=9Cinstalled-os=E2=80=9D and =E2=80= =9Cencrypted-root-os=E2=80=9D > system tests are still fine, and if they are, I guess you can go ahead. Pushed to master as f00e68ace0 with these changes, after running the tests and booting up my system. Happy hacking! Miguel From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 22 08:41:21 2020 Received: (at 37851-done) by debbugs.gnu.org; 22 Dec 2020 13:41:21 +0000 Received: from localhost ([127.0.0.1]:49244 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krhuj-0004mo-2o for submit@debbugs.gnu.org; Tue, 22 Dec 2020 08:41:21 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49020) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krhuh-0004mX-Bo; Tue, 22 Dec 2020 08:41:19 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58435) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1krhub-0008PZ-7Q; Tue, 22 Dec 2020 08:41:13 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43830 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1krhuW-0006Kd-EX; Tue, 22 Dec 2020 08:41:08 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas Subject: Re: bug#37851: bug#25305: bug#37851: Grub installation only checks for encrypted /boot folder References: <20191021130709.21d6ac20@gmail.com> <20191021144758.3d8cfe95@gmail.com> <87lftc27j2.fsf@gnu.org> <87r1pkocrc.fsf@gmail.com> <87ft5ym3ic.fsf@gmail.com> <87k0tksfau.fsf@gnu.org> <87k0tazz5j.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 =?utf-8?Q?Niv=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 22 Dec 2020 14:41:07 +0100 In-Reply-To: <87k0tazz5j.fsf@gmail.com> ("Miguel =?utf-8?Q?=C3=81ngel?= Arruga Vivas"'s message of "Mon, 21 Dec 2020 21:23:36 +0100") Message-ID: <8735zy2c24.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37851-done Cc: 25305-done@debbugs.gnu.org, Mathieu Othacehe , 37851-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Miguel =C3=81ngel Arruga Vivas skribis: > Pushed to master as f00e68ace0 with these changes, after running the > tests and booting up my system. Woohoo, thank you! Ludo=E2=80=99. From unknown Wed Jun 18 23:17:22 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 20 Jan 2021 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator