From unknown Wed Jun 18 00:24:10 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#51514 <51514@debbugs.gnu.org> To: bug#51514 <51514@debbugs.gnu.org> Subject: Status: [PATCH 0/2] Add support for LUKS2 root partition Reply-To: bug#51514 <51514@debbugs.gnu.org> Date: Wed, 18 Jun 2025 07:24:10 +0000 retitle 51514 [PATCH 0/2] Add support for LUKS2 root partition reassign 51514 guix-patches submitter 51514 Josselin Poiret severity 51514 normal tag 51514 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 30 11:56:41 2021 Received: (at submit) by debbugs.gnu.org; 30 Oct 2021 15:56:41 +0000 Received: from localhost ([127.0.0.1]:58250 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqin-00087v-1c for submit@debbugs.gnu.org; Sat, 30 Oct 2021 11:56:41 -0400 Received: from lists.gnu.org ([209.51.188.17]:59034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqil-00087m-Ei for submit@debbugs.gnu.org; Sat, 30 Oct 2021 11:56:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45512) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgqil-00029B-6S for guix-patches@gnu.org; Sat, 30 Oct 2021 11:56:39 -0400 Received: from jpoiret.xyz ([206.189.101.64]:35414) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgqij-0001Ug-In for guix-patches@gnu.org; Sat, 30 Oct 2021 11:56:38 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 7049B184BFA; Sat, 30 Oct 2021 15:56:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635609394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=I54k2tax9n5K+yDEQJejoWYRcF0HLMw5YpXn+YMIHmI=; b=BhudiO02s1Lc7DrK+HVA2PunND/YkOjDtzEhFdTskermyXq+icIkihhroDueZgc5ZkQVkA CQxcfAGtcgso8qsPv8CUWy6M2zoqjEEqqtykCPPpP+G2ekgYMFrpj37igTQkhsXQ8PY+vt jgOZfVlEUDKFN8XyfiM08/LyLllWBqKPJwVi7yoIqywxjRcg9paacd0kGusRxVVQ6bja2N DvO6P/H+gZJiJ5NbKOzRkK1aAhdgYVGsw6qlUBdBG/3vkHTllUVQLJo9nX9YUbPHIDaSpf AqRf7x5SzLHU2YLJ4FrNTCR3VdVuIr8kE+EjCplNpqBoXqOOb/3ADbOtM4V7pg== From: Josselin Poiret To: guix-patches@gnu.org Subject: [PATCH 0/2] Add support for LUKS2 root partition Date: Sat, 30 Oct 2021 15:56:33 +0000 Message-ID: <87tugypkum.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz Received-SPF: pass client-ip=206.189.101.64; envelope-from=dev@jpoiret.xyz; helo=jpoiret.xyz X-Spam_score_int: 5 X-Spam_score: 0.5 X-Spam_bar: / X-Spam_report: (0.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.999, PDS_OTHER_BAD_TLD=0.076, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, This patchset adds support for a LUKS2 root partition, leveraging its Grub support since 2.06, and making sure that the Cryptsetup run-time locking directory /var/cryptsetup/ exists before trying to u [...] Content analysis details: (1.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom; id=dev%40jpoiret.xyz; ip=209.51.188.17; r=debbugs.gnu.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.51.188.17 listed in wl.mailspike.net] 0.5 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.1 (/) Hi, This patchset adds support for a LUKS2 root partition, leveraging its Grub support since 2.06, and making sure that the Cryptsetup run-time locking directory /var/cryptsetup/ exists before trying to unlock devices (this is required for LUKS2): this used to fail in early userspace because /var/ did not exist. I've also added some documentation on the limited support: Grub only supports PKBDF2 and not Argon2i which is the default key derivation function. The example given in the Disk Partitioning section was updated as well to use LUKS2. My testing setup was: using a Guix VM, install onto a qcow2 disk which is itself launched with QEMU. It felt a bit convoluted (especially transferring the WIP guix to the VM, then building it), and I'll see if I can simplify this workflow a bit, but everything worked fine with those patches. Best, Josselin Poiret Josselin Poiret (2): gnu: system: Add LUKS2 support for the root file system. doc: Document LUKS2 Grub support and shortcomings doc/guix.texi | 19 ++++++++++++++----- gnu/bootloader/grub.scm | 3 +-- gnu/system/mapped-devices.scm | 10 ++++++++-- 3 files changed, 23 insertions(+), 9 deletions(-) -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 30 12:13:00 2021 Received: (at 51514) by debbugs.gnu.org; 30 Oct 2021 16:13:00 +0000 Received: from localhost ([127.0.0.1]:58275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqya-0002TP-E5 for submit@debbugs.gnu.org; Sat, 30 Oct 2021 12:13:00 -0400 Received: from jpoiret.xyz ([206.189.101.64]:38042) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqyY-0002TF-4d for 51514@debbugs.gnu.org; Sat, 30 Oct 2021 12:12:58 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id A091C184D63; Sat, 30 Oct 2021 16:12:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635610377; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/Zv9Gcr1iv3oUQ6N1bzyDp8YYn0niE8dMNIOqrBcRmQ=; b=Jh6T7ZyYOdL24GusoYojrMvdu6dx+F8Wn7nCwYKzOmOXcqhJV03r7TWLMb6zCPHakjMRYE TFjdu8TIsTUuGdeeRQRa1PMW2JhjOo06ZcBrA42gMX8Cyqb763WVcaRFFB+UQtq8qbabIy ePUPO+6L9fMOulJFapUywUKbkF4F3ZANvn+1VW5TGtKtfwI+EY/EpDRaDoPSYwrAILJBMF y4Nu8ykJPQx0f7hER4PTWfFxNLFKs+ZOpJ06Se9Y5I8VRRPVy1eQ9qf71wDDjYx744i6OW k65IAywz1k0UDY1q/KDyFokmeMe3+JPKF/yC8xBC8HJsnt1Py8Qsy/oi81ijLA== From: Josselin Poiret To: 51514@debbugs.gnu.org Subject: [PATCH 1/2] gnu: system: Add LUKS2 support for the root file system. Date: Sat, 30 Oct 2021 16:12:36 +0000 Message-Id: <20211030161237.28298-1-dev@jpoiret.xyz> In-Reply-To: <87tugypkum.fsf@jpoiret.xyz> References: <87tugypkum.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. --- gnu/bootloader/grub.scm | 3 +-- gn [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51514 Cc: Josselin Poiret X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. --- gnu/bootloader/grub.scm | 3 +-- gn [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. --- gnu/bootloader/grub.scm | 3 +-- gnu/system/mapped-devices.scm | 10 ++++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index d8e888ff40..42f71aa4db 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev) ;; Other type of devices aren't implemented. #~())) (let ((devices (map crypto-device->cryptomount store-crypto-devices)) - ;; XXX: Add luks2 when grub 2.06 is packaged. - (modules #~(format port "insmod luks~%"))) + (modules #~(format port "insmod luks~%insmod luks2~%"))) (if (null? devices) devices (cons modules devices)))) diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 518dbc4fe8..95944b03c8 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -192,7 +192,8 @@ (define (open-luks-device source targets) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure - '((gnu build file-systems))) + '((gnu build file-systems) + (guix build utils))) ;; For mkdir-p (match targets ((target) #~(let ((source #$(if (uuid? source) @@ -201,7 +202,12 @@ (define (open-luks-device source targets) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) - #:select (find-partition-by-luks-uuid))) + #:select (find-partition-by-luks-uuid)) + ((guix build utils) #:select (mkdir-p))) + + ;; Create '/run/cryptsetup/' if it does not exist, as device locking + ;; is mandatory for LUKS2. + (mkdir-p "/run/cryptsetup/") ;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the ;; whole world inside the initrd (for when we're in an initrd). -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 30 12:13:08 2021 Received: (at 51514) by debbugs.gnu.org; 30 Oct 2021 16:13:09 +0000 Received: from localhost ([127.0.0.1]:58280 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqyi-0002UA-NU for submit@debbugs.gnu.org; Sat, 30 Oct 2021 12:13:08 -0400 Received: from jpoiret.xyz ([206.189.101.64]:38114) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgqyh-0002U2-9H for 51514@debbugs.gnu.org; Sat, 30 Oct 2021 12:13:07 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 30EB1184F41; Sat, 30 Oct 2021 16:13:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635610386; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LljGzYt5EwyfozO9dceE8ggdtl+7SmE0+PlAT1T3Eoo=; b=Nwsjwurl6JN3fuZXyxRhzb7acO98UqoYvsFvyykpdEKXKQQ+UCLTqoqfbDrVwjCg9vSPpE 4WEsHjxjdC2r2rNCLleJtS9+9D8FWxRVOZtTp8fx1F0+rlqS8nROZYTJBpkgdCZAadhBTM ylpZcmwGXxxktYsbm6zN0+kGtNDrN5fByVRSMFfNMPHMtLiwYAcr6Lf5lz0CgF6L9OC6+U ixaw/CKbkb43k/nBqRp4DLq5aeF3K9IF/BOQnV/lhZ6YrG1fVikyT/dwnO+9Tt7cTCIsIf L+Zqirx00EGQXAql56nBIjouE1ZuCGQ2/+X4aMFYYQrkyD3vm6FScjTbMuTK8g== From: Josselin Poiret To: 51514@debbugs.gnu.org Subject: [PATCH 2/2] doc: Document LUKS2 Grub support and shortcomings Date: Sat, 30 Oct 2021 16:12:37 +0000 Message-Id: <20211030161237.28298-2-dev@jpoiret.xyz> In-Reply-To: <20211030161237.28298-1-dev@jpoiret.xyz> References: <87tugypkum.fsf@jpoiret.xyz> <20211030161237.28298-1-dev@jpoiret.xyz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Document it. --- doc/guix.texi | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 22215214e0..4420f67050 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2 If you are instead plannin [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51514 Cc: Josselin Poiret X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Document it. --- doc/guix.texi | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 22215214e0..4420f67050 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2 If you are instead plannin [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Document it. --- doc/guix.texi | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 22215214e0..4420f67050 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2 If you are instead planning to encrypt the root partition, you can use the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html, @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}}, -@code{man cryptsetup}} for more information). Assuming you want to -store the root partition on @file{/dev/sda2}, the command sequence would -be along these lines: +@code{man cryptsetup}} for more information). + +@quotation Warning +Note that Grub can unlock LUKS2 devices since version 2.06, but only +supports the PBKDF2 key derivation function, which is not the default +for Cryptsetup on Guix. You can check which key derivation function is +being used by a device by running @command{cryptsetup luksDump }, +and looking for the PBKDF field of your keyslots. +@end quotation + +Assuming you want to store the root partition on @file{/dev/sda2}, the +command sequence would be along these lines: @example -cryptsetup luksFormat /dev/sda2 -cryptsetup open --type luks /dev/sda2 my-partition +cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2 +cryptsetup open /dev/sda2 my-partition mkfs.ext4 -L my-root /dev/mapper/my-partition @end example -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 12 17:32:15 2021 Received: (at 51514) by debbugs.gnu.org; 12 Nov 2021 22:32:15 +0000 Received: from localhost ([127.0.0.1]:46110 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mlf5i-0008GD-TT for submit@debbugs.gnu.org; Fri, 12 Nov 2021 17:32:15 -0500 Received: from eggs.gnu.org ([209.51.188.92]:33496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mlf5e-0008Fv-Qs for 51514@debbugs.gnu.org; Fri, 12 Nov 2021 17:32:12 -0500 Received: from [2001:470:142:3::e] (port=39124 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mlf5Z-0003ku-H9; Fri, 12 Nov 2021 17:32:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=eiik+XTAaQHQrt3Wd3HYkzNuvvJFWtj0zomJfObLvJI=; b=J8Mf32kN30rRfp7yEiS8 MNj19QoBP0zrPcbkj7DHyXAECSvq36MbsipyQGoIuAP1CnVzNGmUKwKxDx8Vk4SGN9fUjOU748UPe 63fWQN4lfZPqm+kNMPC/Jc7nf3Fw7HGjkuobgQFqg4tBYBNDoxQilPDFL2P9zQE3+rTWG1EbHoP2T rDMcunU0iZc0bA/VfWVcNyCHbgRQOM1nxDjgHkQ2zeV9KxdRlhiQqhm050HOPQEwLakoCrFfLIZr3 Gi/U3MXJr+Sgd2rx9HmdZyjAEFJxmJ6dKKOvBuhc8gpstW5uBuezNL0yDKwYAvXg8LyRTZWq769+l MGuGPG++EqjJjA==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:49807 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mlf5Z-0006mP-7x; Fri, 12 Nov 2021 17:32:05 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Josselin Poiret Subject: Re: bug#51514: [PATCH 0/2] Add support for LUKS2 root partition References: <87tugypkum.fsf@jpoiret.xyz> <20211030161237.28298-1-dev@jpoiret.xyz> <20211030161237.28298-2-dev@jpoiret.xyz> Date: Fri, 12 Nov 2021 23:32:02 +0100 In-Reply-To: <20211030161237.28298-2-dev@jpoiret.xyz> (Josselin Poiret's message of "Sat, 30 Oct 2021 16:12:37 +0000") Message-ID: <87h7chdmzh.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.3 (/) X-Debbugs-Envelope-To: 51514 Cc: 51514@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.3 (-) Hello! I haven=E2=80=99t tested it, but the patches LGTM. Nitpick: Josselin Poiret skribis: > * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk > Partitioning]: Document it. [=E2=80=A6] > +@quotation Warning > +Note that Grub can unlock LUKS2 devices since version 2.06, but only s/Grub/GRUB/ :-) > +supports the PBKDF2 key derivation function, which is not the default > +for Cryptsetup on Guix. You can check which key derivation function is > +being used by a device by running @command{cryptsetup luksDump }, @var{device} rather than . > +and looking for the PBKDF field of your keyslots. Should we change =E2=80=9Cwhich is not the default for Cryptsetup on Guix= =E2=80=9D to =E2=80=9Cbut @command{cryptsetup luksFormat} does not use PBKDF2 by default= =E2=80=9D? > +@end quotation > + > +Assuming you want to store the root partition on @file{/dev/sda2}, the > +command sequence would be along these lines: ^ + =E2=80=9Cto format it as a LUKS2 partition=E2=80=9D Could you send an updated version of this patch? Besides, do you think we should change the installer to create LUKS2 partitions now in (gnu installer parted)? Thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 15 15:53:56 2021 Received: (at 51514) by debbugs.gnu.org; 15 Nov 2021 20:53:56 +0000 Received: from localhost ([127.0.0.1]:56311 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmizA-0000ol-3o for submit@debbugs.gnu.org; Mon, 15 Nov 2021 15:53:56 -0500 Received: from jpoiret.xyz ([206.189.101.64]:36636) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmiz7-0000oZ-Fp for 51514@debbugs.gnu.org; Mon, 15 Nov 2021 15:53:50 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 79BE5184F5F; Mon, 15 Nov 2021 20:53:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1637009628; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DgRXqcT8Ad8glOqczTOLb8TMfpdfYL55jruUiZdNPXk=; b=IqUbWupvBCKlC33SH71OQY0oQhP4DUgM4mgmh9ix2QkvILQqAVa7jNPAopF7Cr7gAy+Kcz gBNTWrDCfs2PBMzSfJ4iotXyqt9UUPl0vw3uJBhzcu7EDodW9+q9iKL/5A9zTTc+G5ACFy CvlJYBjgPiBjxVOg7J4gAWhDbCL09hc6fdoktipMLk3WqE6T1qkDDpZn39GzL08Ik84jm+ G2Wo1cQVVZqrmS1iV6Kq/ifYPHWycUxMnvRpuBLxMG5TBKIA7GxS+xf7KfdjLeS6lcwAce Gesq6bXEoN90o3pnn+vHWKQxlRbL+C/DIh564zMKypYS3QvrTTjkzzhtfQybPA== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Subject: [PATCH v2 1/3] gnu: system: Add LUKS2 support for the root file system. Date: Mon, 15 Nov 2021 20:53:39 +0000 Message-Id: <20211115205341.9724-2-dev@jpoiret.xyz> In-Reply-To: <20211115205341.9724-1-dev@jpoiret.xyz> References: <87h7chdmzh.fsf_-_@gnu.org> <20211115205341.9724-1-dev@jpoiret.xyz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. --- gnu/bootloader/grub.scm | 3 +-- gn [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51514 Cc: Josselin Poiret , 51514@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. --- gnu/bootloader/grub.scm | 3 +-- gn [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. --- gnu/bootloader/grub.scm | 3 +-- gnu/system/mapped-devices.scm | 10 ++++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index d8e888ff40..42f71aa4db 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev) ;; Other type of devices aren't implemented. #~())) (let ((devices (map crypto-device->cryptomount store-crypto-devices)) - ;; XXX: Add luks2 when grub 2.06 is packaged. - (modules #~(format port "insmod luks~%"))) + (modules #~(format port "insmod luks~%insmod luks2~%"))) (if (null? devices) devices (cons modules devices)))) diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 518dbc4fe8..96a381d5fe 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -192,7 +192,8 @@ (define (open-luks-device source targets) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure - '((gnu build file-systems))) + '((gnu build file-systems) + (guix build utils))) ;; For mkdir-p (match targets ((target) #~(let ((source #$(if (uuid? source) @@ -201,7 +202,12 @@ (define (open-luks-device source targets) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) - #:select (find-partition-by-luks-uuid))) + #:select (find-partition-by-luks-uuid)) + ((guix build utils) #:select (mkdir-p))) + + ;; Create '/run/cryptsetup/' if it does not exist, as device locking + ;; is mandatory for LUKS2. + (mkdir-p "/run/cryptsetup/") ;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the ;; whole world inside the initrd (for when we're in an initrd). -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 15 15:53:58 2021 Received: (at 51514) by debbugs.gnu.org; 15 Nov 2021 20:53:58 +0000 Received: from localhost ([127.0.0.1]:56315 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmizF-0000pB-PH for submit@debbugs.gnu.org; Mon, 15 Nov 2021 15:53:58 -0500 Received: from jpoiret.xyz ([206.189.101.64]:36730) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmiz9-0000oh-Gk for 51514@debbugs.gnu.org; Mon, 15 Nov 2021 15:53:56 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 5A7D2184F65; Mon, 15 Nov 2021 20:53:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1637009629; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tbi600uwA/U+LtZntKaOHdoVnBzaTYWRW3r7/FkuAm0=; b=f1sZs4W2kg3GdmI0rQdMzqEHypM7KIxQilndT90n+mev3u223ndcS/Dkd1JdmdnAJwbMSg kXiLseyrxcJlaN0+PwRtwBNoDNGfmOlxQy+66cRavrckkP3H5WsY5HeYxErPnQizZTmnMT ViIViR6DQes7v0+D+Z1r9uObZBnfQLYAxf/T41yNJnSrFIAOqOqZVXQc911zBoR1vX5cdb to1TMJbQAuqXM5QqZOBrutDKz6Ln+vgxeFNu/s6IPJ/iDKfMSKWJwty0WPJ+Ujj9TfewWE 5SuFErOAOBjf7hRL8tJP8FmXJnmheVE5H+3QIlvp7JKbt/FuuT8fNgLTSdb5Xw== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Subject: [PATCH v2 2/3] doc: Document LUKS2 GRUB support and shortcomings Date: Mon, 15 Nov 2021 20:53:40 +0000 Message-Id: <20211115205341.9724-3-dev@jpoiret.xyz> In-Reply-To: <20211115205341.9724-1-dev@jpoiret.xyz> References: <87h7chdmzh.fsf_-_@gnu.org> <20211115205341.9724-1-dev@jpoiret.xyz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Document it. --- doc/guix.texi | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 1b10e2d626..95d286a836 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -98,6 +98,7 @@ Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] 0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51514 Cc: Josselin Poiret , 51514@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Document it. --- doc/guix.texi | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 1b10e2d626..95d286a836 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -98,6 +98,7 @@ Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Document it. --- doc/guix.texi | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 1b10e2d626..95d286a836 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -98,6 +98,7 @@ Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* +Copyright @copyright{} 2021 Josselin Poiret@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -2492,13 +2493,24 @@ mkfs.ext4 -L my-root /dev/sda2 If you are instead planning to encrypt the root partition, you can use the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html, @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}}, -@code{man cryptsetup}} for more information). Assuming you want to -store the root partition on @file{/dev/sda2}, the command sequence would -be along these lines: +@code{man cryptsetup}} for more information). + +@quotation Warning +Note that GRUB can unlock LUKS2 devices since version 2.06, but only +supports the PBKDF2 key derivation function, which is not the default +for @command{cryptsetup luksFormat}. You can check which key derivation +function is being used by a device by running @command{cryptsetup +luksDump @var{device}}, and looking for the PBKDF field of your +keyslots. +@end quotation + +Assuming you want to store the root partition on @file{/dev/sda2}, the +command sequence to format it as a LUKS2 partition would be along these +lines: @example -cryptsetup luksFormat /dev/sda2 -cryptsetup open --type luks /dev/sda2 my-partition +cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2 +cryptsetup open /dev/sda2 my-partition mkfs.ext4 -L my-root /dev/mapper/my-partition @end example -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 15 15:54:02 2021 Received: (at 51514) by debbugs.gnu.org; 15 Nov 2021 20:54:02 +0000 Received: from localhost ([127.0.0.1]:56317 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmizK-0000pZ-1z for submit@debbugs.gnu.org; Mon, 15 Nov 2021 15:54:02 -0500 Received: from jpoiret.xyz ([206.189.101.64]:36818) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmizA-0000ok-AL for 51514@debbugs.gnu.org; Mon, 15 Nov 2021 15:53:56 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 691D1184F66; Mon, 15 Nov 2021 20:53:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1637009631; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o/YhAdswtSrepNNN/Zym+E/dEk7sid/PoZhCYlPPL/E=; b=q+PJwxnLzNwX5oE9auhJY1OtcIRvL6ZjZYgnpPO7jFZOvFMEN+bu5yngaNhuCMtl/Aok58 9PMKNBoHitFpd5MWmWNhXcsC2BtS42bEtS82Xl9qkV0DU4IMQoBkenmauUElKt29Q6c+1N fJIi/H0QBw7PcL3OTI/BY2s58nBbx0Bh1uQ8FJRN5Z60Zog09mn57mAJcMxoyvgxfqdvQT qHelpaUsOkRxuQnV6t5lvB5MjkC7IcZBPKt7FPGc2w5OKzHwRfqqWqEdDHb07o0FDkfiP1 LoBbUsLS5UR4A7lMewF8A09PjiZeJ1a7IiMTi/EgOKxOc2EX/6pT3ePL4/GNrA== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Subject: [PATCH v2 3/3] installer: Make LUKS2 the default format for encrypted devices Date: Mon, 15 Nov 2021 20:53:41 +0000 Message-Id: <20211115205341.9724-4-dev@jpoiret.xyz> In-Reply-To: <20211115205341.9724-1-dev@jpoiret.xyz> References: <87h7chdmzh.fsf_-_@gnu.org> <20211115205341.9724-1-dev@jpoiret.xyz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/installer/parted.scm (luks-format-and-open): Change it. --- gnu/installer/parted.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/installer/parted.scm b/gnu/installer/parted.scm index cbe676017b..00de0a30fa 100644 --- a/gnu/installer/parted.scm +++ b/gnu/installer/parted.scm @@ -1165,8 +1165,9 @@ (define (luks-f [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51514 Cc: Josselin Poiret , 51514@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/installer/parted.scm (luks-format-and-open): Change it. --- gnu/installer/parted.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/installer/parted.scm b/gnu/installer/parted.scm index cbe676017b..00de0a30fa 100644 --- a/gnu/installer/parted.scm +++ b/gnu/installer/parted.scm @@ -1165,8 +1165,9 @@ (define (luks-f [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * gnu/installer/parted.scm (luks-format-and-open): Change it. --- gnu/installer/parted.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/installer/parted.scm b/gnu/installer/parted.scm index cbe676017b..00de0a30fa 100644 --- a/gnu/installer/parted.scm +++ b/gnu/installer/parted.scm @@ -1165,8 +1165,9 @@ (define (luks-format-and-open user-partition) (lambda (key-file) (syslog "formatting and opening LUKS entry ~s at ~s~%" label file-name) - (system* "cryptsetup" "-q" "luksFormat" file-name key-file) - (system* "cryptsetup" "open" "--type" "luks" + (system* "cryptsetup" "-q" "luksFormat" "--type" "luks2" + "--pbkdf" "pbkdf2" file-name key-file) + (system* "cryptsetup" "open" "--key-file" key-file file-name label))))) (define (luks-close user-partition) -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 15 15:54:03 2021 Received: (at 51514) by debbugs.gnu.org; 15 Nov 2021 20:54:03 +0000 Received: from localhost ([127.0.0.1]:56320 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmizK-0000pi-Gt for submit@debbugs.gnu.org; Mon, 15 Nov 2021 15:54:03 -0500 Received: from jpoiret.xyz ([206.189.101.64]:36594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmiz7-0000oY-DB for 51514@debbugs.gnu.org; Mon, 15 Nov 2021 15:53:59 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 6DE9C184D49; Mon, 15 Nov 2021 20:53:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1637009627; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HMdBN2W5cDKVjbbWNQdZKn7JYZ4sr1dV5ffMKDYVI0c=; b=evgxCsXzzWEDlTtKYVCqVWNeTbEYhzkNCJx+ycYPSsRJ1GX7qqN1mPRN/Ur2xbZk6JyDeE Qb7VkPMnQBe/zCsjxdqrG7ccQDwJKvf7U6WJzD4Y/aJlCta2qVINbSXozoRYifKatNyIof WrNTj36/pXrv7WaSzqCNVGCnJzSglpxGnLqqyrSQbI6Mb5I5cpiEaCXBEW7Gr2GOGAIKeX lVO7WVqtsQ+l+u9dqMtwPqkZAUH22FEucjO5wAqOL4nv7GLKJv8foscEAuiFIAsFnIdLsM MKfjlWeVcaOtZz7MuQdFk5+2G1cGmxxA9hReoE7YvrcnYpnQhgc02Fn7ze82Qw== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Subject: [PATCH v2 0/3] Add support for LUKS2 root partition Date: Mon, 15 Nov 2021 20:53:38 +0000 Message-Id: <20211115205341.9724-1-dev@jpoiret.xyz> In-Reply-To: <87h7chdmzh.fsf_-_@gnu.org> References: <87h7chdmzh.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: ++++ Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Level: **** X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello again Ludovic, Here is an updated patchset, which includes the changes you suggested, as well as update the installer to use LUKS2 by default (I tested it in a VM and it works pretty well). I don't think there's any [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] 0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51514 Cc: Josselin Poiret , 51514@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello again Ludovic, Here is an updated patchset, which includes the changes you suggested, as well as update the installer to use LUKS2 by default (I tested it in a VM and it works pretty well). I don't think there's any [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hello again Ludovic, Here is an updated patchset, which includes the changes you suggested, as well as update the installer to use LUKS2 by default (I tested it in a VM and it works pretty well). I don't think there's any reason not to use LUKS2 by default now that GRUB 2.06 supports it, and in any case if there are specific needs they can be addressed by a manual installation. Best, Josselin Poiret (3): gnu: system: Add LUKS2 support for the root file system. doc: Document LUKS2 GRUB support and shortcomings installer: Make LUKS2 the default format for encrypted devices doc/guix.texi | 22 +++++++++++++++++----- gnu/bootloader/grub.scm | 3 +-- gnu/installer/parted.scm | 5 +++-- gnu/system/mapped-devices.scm | 10 ++++++++-- 4 files changed, 29 insertions(+), 11 deletions(-) -- 2.33.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 01 11:22:30 2021 Received: (at 51514-done) by debbugs.gnu.org; 1 Dec 2021 16:22:30 +0000 Received: from localhost ([127.0.0.1]:45396 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msSNK-0008MM-C2 for submit@debbugs.gnu.org; Wed, 01 Dec 2021 11:22:30 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34616) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msSNI-0008M9-Sg for 51514-done@debbugs.gnu.org; Wed, 01 Dec 2021 11:22:29 -0500 Received: from [2001:470:142:3::e] (port=56206 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msSND-00078X-M2; Wed, 01 Dec 2021 11:22:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=zR1XJO7GZPfbHhKWx9zRHAFk5mi6M2PREK3tTDoXOB4=; b=Q+6D2Jbc4cadMGwqByzu gbG0T2jpAJqfHfRTGp56q19ZzwQo+AVmRk7HujCmFiFTHEBZ2bNk6+xw5zOxnJH+AjqTWKtvqwQS6 U+y8peUgPPFRnd/2NurLmiLKtkViCgOOObNSzwtDntNAtWUywvyJhcG6Fjsj9sgyGFM6LPr/tibJJ /yrRlWuZXQjCIAo3ZSI3GLUoEU0rXcjJUzm+lVrkzAP8K3JG7pNzsOBngWAgdtkgKqnimS3T19Je8 seQbQmKakuET8eNpSB8WQ+xM2o8hK/q4byMjP8jnPmHJt4ekP1wv/QZdpr572U5mSMqfroEGFHzCH xURa5B0uTEjw+g==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:63162 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msSND-0006lW-Hp; Wed, 01 Dec 2021 11:22:23 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Josselin Poiret Subject: Re: bug#51514: [PATCH 0/2] Add support for LUKS2 root partition References: <87h7chdmzh.fsf_-_@gnu.org> <20211115205341.9724-1-dev@jpoiret.xyz> Date: Wed, 01 Dec 2021 17:22:20 +0100 In-Reply-To: <20211115205341.9724-1-dev@jpoiret.xyz> (Josselin Poiret's message of "Mon, 15 Nov 2021 20:53:38 +0000") Message-ID: <87sfvc1eir.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.3 (/) X-Debbugs-Envelope-To: 51514-done Cc: 51514-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.3 (-) Hello Josselin, Josselin Poiret skribis: > Here is an updated patchset, which includes the changes you suggested, > as well as update the installer to use LUKS2 by default (I tested it > in a VM and it works pretty well). I don't think there's any reason > not to use LUKS2 by default now that GRUB 2.06 supports it, and in any > case if there are specific needs they can be addressed by a manual > installation. > > Best, > > Josselin Poiret (3): > gnu: system: Add LUKS2 support for the root file system. > doc: Document LUKS2 GRUB support and shortcomings > installer: Make LUKS2 the default format for encrypted devices Applied it all after checking: make check-system TESTS=3Dencrypted-root-os Thank you! Ludo=E2=80=99. From unknown Wed Jun 18 00:24:10 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 30 Dec 2021 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator