GNU bug report logs - #66746
LUKS password prompt invisible, prompts twice

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 66746 in the body.
You can then email your comments to 66746 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Caleb Herbert <csh <at> bluehome.net>
To: bug-guix <at> gnu.org
Subject: LUKS password prompt invisible, prompts twice
Date: Wed, 25 Oct 2023 04:49:59 -0700 (PDT)

[Message part 1 (text/plain, inline)]

Hardware: ThinkPad X200
Firmware: Libreboot 2016
OS: Guix System

Expected behavior:
Password prompt. Enter LUKS passphrase. Log into computer.

Actual behavior:
Password prompt. Enter LUKS passphrase. Select boot option from GRUB menu. Hangs, no password prompt. Enter passphrase (again) anyway: Boots normally.

Steps to reproduce:
1. Turn on laptop.
2. Select SeaBIOS payload (default boot option doesn't work).
3. Respond to LUKS prompt.
4. Select boot option.
5. Stare at gray screen with no password prompt.

-- 
Caleb
https://bluehome.net/csh/

Message #8 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: kasper.andersson <at> tutanota.com
To: 66746 <66746 <at> debbugs.gnu.org>
Subject: LUKS password prompt invisible, prompts twice
Date: Thu, 26 Oct 2023 20:44:24 +0200 (CEST)

[Message part 1 (text/plain, inline)]

I can reproduce this on kernels 6.1.58, 6.5.7. Rolling back to a generation with kernel 6.1.57 fixes it, though, this is a correlation and I do not know if the kernel necessarily is what caused it.

As far as I know, the double prompt is expected behaviour (65002 seems to have a fix for that), as /boot is encrypted. What happens for me is that my custom GRUB background seems to cover the Linux framebuffer until I enter my password. After entering my LUKS password, everything works fine and I see output from Shepherd and Xorg starts as expected.

Hardware: Lenovo Thinkpad T460s

[Message part 2 (text/html, inline)]

Message #11 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: Caleb Herbert <csh <at> bluehome.net>, 66746 <at> debbugs.gnu.org
Subject: Re: bug#66746: LUKS password prompt invisible, prompts twice
Date: Fri, 27 Oct 2023 20:44:55 +0200

[Message part 1 (text/plain, inline)]

Hi Caleb,

Caleb Herbert <csh <at> bluehome.net> writes:

> Hardware: ThinkPad X200
> Firmware: Libreboot 2016
> OS: Guix System
>
> Expected behavior:
> Password prompt. Enter LUKS passphrase. Log into computer.
>
> Actual behavior:
> Password prompt. Enter LUKS passphrase. Select boot option from GRUB menu. Hangs, no password prompt. Enter passphrase (again) anyway: Boots normally.

I think this is a combination of two things: first, we currently need to
unlock the drive once for GRUB, and then once when Linux boots, hence
the two password prompts.  This is a known limitation, but the usual
workaround of adding a keyfile to the initrd wouldn't work in our case
for security reasons: the keyfile would end up in the store and be
world-readable, a disaster.

Regarding the second prompt being invisible, I think it might be related
to the framebuffer initialization for Libreboot since there have been
lots of reports about this.  I don't know anything myself, but maybe
someone else could chime in?

Best,
-- 
Josselin Poiret

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: Saku Laesvuori <saku <at> laesvuori.fi>
To: Josselin Poiret <dev <at> jpoiret.xyz>
Cc: Caleb Herbert <csh <at> bluehome.net>, 66746 <at> debbugs.gnu.org
Subject: Re: bug#66746: LUKS password prompt invisible, prompts twice
Date: Fri, 27 Oct 2023 22:02:58 +0300

[Message part 1 (text/plain, inline)]

> Hi Caleb,
> 
> Caleb Herbert <csh <at> bluehome.net> writes:
> 
> > Hardware: ThinkPad X200
> > Firmware: Libreboot 2016
> > OS: Guix System
> >
> > Expected behavior:
> > Password prompt. Enter LUKS passphrase. Log into computer.
> >
> > Actual behavior:
> > Password prompt. Enter LUKS passphrase. Select boot option from GRUB menu. Hangs, no password prompt. Enter passphrase (again) anyway: Boots normally.
> 
> I think this is a combination of two things: first, we currently need to
> unlock the drive once for GRUB, and then once when Linux boots, hence
> the two password prompts.  This is a known limitation, but the usual
> workaround of adding a keyfile to the initrd wouldn't work in our case
> for security reasons: the keyfile would end up in the store and be
> world-readable, a disaster.

I believe a patch[1] enabling this is waiting for a review.

[1]: https://issues.guix.gnu.org/65002

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: kasper.andersson <at> tutanota.com
To: 66746 <66746 <at> debbugs.gnu.org>
Subject: LUKS password prompt invisible, prompts twice
Date: Sat, 28 Oct 2023 13:07:08 +0200 (CEST)

[Message part 1 (text/plain, inline)]

With regards to the invisible LUKs prompt; my laptop does not run libreboot, but is still affected. Seems more like the Thinkpad framebuffer driver has a bug on the Linux or Grub side to me.

[Message part 2 (text/html, inline)]

Message #20 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jake <jforst.mailman <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: bug#66746: LUKS password prompt invisible, prompts twice
Date: Sun, 29 Oct 2023 18:51:09 +1030

[Message part 1 (text/plain, inline)]

Hi

I’m also getting this bug (the second decrypt screen not showing up) with
Linux kernel versions 6.5.8 and 6.5.9 (the latest version as of writing);
6.5.7 does not have the bug for me.

The bug behaviour is the same on 2/2 of my Guix System machines. And it is
the same for both Linux and linux-libre kernels of the same version.

Thanks
Jake

[Message part 2 (text/html, inline)]

Message #23 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 66746 <at> debbugs.gnu.org
Subject: Re: LUKS password prompt invisible, prompts twice
Date: Sun, 29 Oct 2023 12:48:40 +0100

> I’m also getting this bug (the second decrypt screen not showing up) 
> with
> Linux kernel versions 6.5.8 and 6.5.9 (the latest version as of 
> writing);
> 6.5.7 does not have the bug for me.

Oh, this might be interesting…  At least it's something.

Could you diff a working 6.5.7 and broken 6.5.8 configuration?  The 
configuration is stored as /gnu/store/…-linux-libre-6.5.x/.config; 
there's no need to boot the kernel just to load the config.gz module.

If you use Coreboot or a derivative: do your broken kernels include 
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6d7e181ba18d11c92409a93936025fb46b9c8171>?

And if they do, have you tried booting with

  (initrd-modules (cons "framebuffer-coreboot" %base-initrd-modules))

by any chance?

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.

Message #26 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: James Smith <jsubuntuxp <at> disroot.org>
To: 66746 <at> debbugs.gnu.org
Subject: Re: LUKS password prompt invisible, prompts twice
Date: Sun, 29 Oct 2023 09:04:11 -0700

Hi everyone,

I've been hit by this bug as well on my desktop (AMD GPU, default UEFI).
Reading through this thread, and especially checking commit
6d7e181ba18d11c92409a93936025fb46b9c8171, what fixed the invisible LUKS
password prompt for me was adding simplefb to the list of initrd-modules
in my system config.

Hope this helps,
James Smith

Message #29 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jake <jforst.mailman <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: Re: bug#66746: LUKS password prompt invisible, prompts twice
Date: Mon, 30 Oct 2023 10:50:34 +0000

[Message part 1 (text/plain, inline)]

Hi Tobias

The initrd-modules snippet did not fix it.
Below is the diff of the .configs for 6.5.9 (not 6.5.8 sorry) and 6.5.7.

Thanks
Jake


3c3
< # Linux/x86_64 6.5.9-gnu Kernel Configuration
---
> # Linux/x86_64 6.5.7-gnu Kernel Configuration
2354c2354
< CONFIG_SYSFB_SIMPLEFB=y
---
> # CONFIG_SYSFB_SIMPLEFB is not set
2356,2363c2356
< CONFIG_GOOGLE_FIRMWARE=y
< # CONFIG_GOOGLE_SMI is not set
< # CONFIG_GOOGLE_CBMEM is not set
< CONFIG_GOOGLE_COREBOOT_TABLE=m
< # CONFIG_GOOGLE_MEMCONSOLE_X86_LEGACY is not set
< CONFIG_GOOGLE_FRAMEBUFFER_COREBOOT=m
< # CONFIG_GOOGLE_MEMCONSOLE_COREBOOT is not set
< # CONFIG_GOOGLE_VPD is not set
---
> # CONFIG_GOOGLE_FIRMWARE is not set
6956c6949
< CONFIG_DRM_SIMPLEDRM=m
---
> # CONFIG_DRM_SIMPLEDRM is not set
7085c7078
< CONFIG_FB_SIMPLE=m
---
> CONFIG_FB_SIMPLE=y

On Sun, Oct 29, 2023 at 11:49 AM Tobias Geerinckx-Rice via Bug reports for
GNU Guix <bug-guix <at> gnu.org> wrote:

> > I’m also getting this bug (the second decrypt screen not showing up)
> > with
> > Linux kernel versions 6.5.8 and 6.5.9 (the latest version as of
> > writing);
> > 6.5.7 does not have the bug for me.
>
> Oh, this might be interesting…  At least it's something.
>
> Could you diff a working 6.5.7 and broken 6.5.8 configuration?  The
> configuration is stored as /gnu/store/…-linux-libre-6.5.x/.config;
> there's no need to boot the kernel just to load the config.gz module.
>
> If you use Coreboot or a derivative: do your broken kernels include
> <
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6d7e181ba18d11c92409a93936025fb46b9c8171
> >?
>
> And if they do, have you tried booting with
>
>    (initrd-modules (cons "framebuffer-coreboot" %base-initrd-modules))
>
> by any chance?
>
> Kind regards,
>
> T G-R
>
> Sent from a Web browser.  Excuse or enjoy my brevity.
>
>
>
>

[Message part 2 (text/html, inline)]

Message #32 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jake <jforst.mailman <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: bug#66746: LUKS password prompt invisible, prompts twice
Date: Mon, 30 Oct 2023 23:03:46 +1030

[Message part 1 (text/plain, inline)]

Hi Tobias

The initrd-modules snippet did not fix it.
Below is the diff of the .configs for 6.5.9 (not 6.5.8 sorry) and 6.5.7.

Thanks
Jake


3c3
< # Linux/x86_64 6.5.9-gnu Kernel Configuration
---
> # Linux/x86_64 6.5.7-gnu Kernel Configuration
2354c2354
< CONFIG_SYSFB_SIMPLEFB=y
---
> # CONFIG_SYSFB_SIMPLEFB is not set
2356,2363c2356
< CONFIG_GOOGLE_FIRMWARE=y
< # CONFIG_GOOGLE_SMI is not set
< # CONFIG_GOOGLE_CBMEM is not set
< CONFIG_GOOGLE_COREBOOT_TABLE=m
< # CONFIG_GOOGLE_MEMCONSOLE_X86_LEGACY is not set
< CONFIG_GOOGLE_FRAMEBUFFER_COREBOOT=m
< # CONFIG_GOOGLE_MEMCONSOLE_COREBOOT is not set
< # CONFIG_GOOGLE_VPD is not set
---
> # CONFIG_GOOGLE_FIRMWARE is not set
6956c6949
< CONFIG_DRM_SIMPLEDRM=m
---
> # CONFIG_DRM_SIMPLEDRM is not set
7085c7078
< CONFIG_FB_SIMPLE=m
---
> CONFIG_FB_SIMPLE=y

[Message part 2 (text/html, inline)]

Message #35 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: X <volf.tomas <at> gmail.com>
To: 66746 <at> debbugs.gnu.org
Cc: me <at> tobias.gr
Subject: Re: LUKS password prompt invisible, prompts twice
Date: Mon, 30 Oct 2023 16:49:23 +0000

Also affected, stock thinkpad.  Can confirm that

    (initrd-modules (cons "simplefb" %base-initrd-modules))

does fix the issue for me.  Reverting
6d7e181ba18d11c92409a93936025fb46b9c8171 also fixes the issue.


T.

-- 
Tomas P4l4cl][n Volf
-- "There are only 10 types of people in the world: Those who
understand binary, and those who don't."

Message #40 received at 66746 <at> debbugs.gnu.org (full text, mbox):

From: Jake <jforst.mailman <at> gmail.com>
To: X <volf.tomas <at> gmail.com>
Cc: me <at> tobias.gr, 66746 <at> debbugs.gnu.org
Subject: Re: bug#66746: LUKS password prompt invisible, prompts twice
Date: Wed, 1 Nov 2023 20:33:55 +1030

[Message part 1 (text/plain, inline)]

A guix pull and reconfigure just now fixed it for me. I didn’t need to add
simplefb to os declaration.

Thanks
Jake

On Wed, 1 Nov 2023 at 1:06 am, X <volf.tomas <at> gmail.com> wrote:

> Also affected, stock thinkpad.  Can confirm that
>
>     (initrd-modules (cons "simplefb" %base-initrd-modules))
>
> does fix the issue for me.  Reverting
> 6d7e181ba18d11c92409a93936025fb46b9c8171 also fixes the issue.
>
>
> T.
>
> --
> Tomas P4l4cl][n Volf
> -- "There are only 10 types of people in the world: Those who
> understand binary, and those who don't."
>
>
>
>

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.