| Message ID | cover.1690922760.git.wolf@wolfsden.cz |
|---|---|
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 16BC527BBE2; Tue, 1 Aug 2023 22:08:21 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4C02E27BBE2 for <patchwork@mira.cbaines.net>; Tue, 1 Aug 2023 22:08:20 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1qQwb6-0006ff-Ag; Tue, 01 Aug 2023 17:08:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qQwb4-0006fW-BE for guix-patches@gnu.org; Tue, 01 Aug 2023 17:08:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qQwb4-00018t-3V for guix-patches@gnu.org; Tue, 01 Aug 2023 17:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qQwb3-0002Ec-TZ for guix-patches@gnu.org; Tue, 01 Aug 2023 17:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Resent-From: Tomas Volf <wolf@wolfsden.cz> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 21:08:01 +0000 Resent-Message-ID: <handler.65002.B.16909240558548@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <wolf@wolfsden.cz> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16909240558548 (code B ref -1); Tue, 01 Aug 2023 21:08:01 +0000 Received: (at submit) by debbugs.gnu.org; 1 Aug 2023 21:07:35 +0000 Received: from localhost ([127.0.0.1]:48385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1qQwac-0002Do-Sl for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:35 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ws@wolfsnet.cz>) id 1qQwaa-0002Dc-Uj for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:07:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ws@wolfsnet.cz>) id 1qQwaV-0006Z9-Lr for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ws@wolfsnet.cz>) id 1qQwaT-0008TP-GW for guix-patches@gnu.org; Tue, 01 Aug 2023 17:07:27 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 2DC992675D4; Tue, 1 Aug 2023 21:07:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924039; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=mPT5xRO9jVDmPcgzxQAiv2IzpfjLd6cBXktD6cC5J2vNuAIyQYyw9TEMdevjIN8Be 3HyaQu8/lBqDgMdcCBvvAe7hBoIkXGNuVuEH9tc5dZAnxRWciBQqDQpAilTvQL8kDB 8WEXEczPS8Zhdv+VIsOsA50gD5ziDPyp/ASGl1EwMcDoO7pEjZWh8KI7DsPNVFBfXV a3fAQg5Q2fZF/YskuXPyiHX5L7rolYkHhx11lCW5Zyiydf/AEN3VYvNN+ifW2MOmQH /cG20ASc03O9aKkksL/YwK0W62p+mY6RLtNAKiyhThtv/6blMI/6TThutf2ApmG8Zk XIoQsE8boOPRU8yVV5FnXpVWheBtf/1j4+0ffRi77bR2a6EsdIvUQ08my7xwIfpamR pP/6Y1WnEaOZv2d7hduyUNXfZgNlfVZQSkChTFHZbriSjs/EeIbClDHyJaHKLQ/kDQ lxFXjr87z09xso3+mRj0Gt8/e908ZiXFlJRM8i3OG6eHM/dM0OKK8fyc01pK6/rLWh KLq92OMqiDGDpmdF9c+rOUE3ZVw1eWlcLnoGA/W97CBfAkvI+IlS4yJBLGvHFUmGMJ 2P6Pp34Vf0HirzaggYeB63PLl8vaBTgFS9yrH5hS0nPGIuv3BL7dk06KkE1JJz1J++ ymu69CY1RT+Am4JlGx9v/Fgk= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 4F22C26A899; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924038; bh=vlKsAv24ilJvcp4PFt4biqyCvs0S29goVgN5oboGVAY=; h=From:To:Cc:Subject:Date; b=OInteuhz85CGr/x6zMzjQFPMQNicUjkbuxl+PMgcynoXpbTVZNnZUFB2hk+YmQS4k 5Be4DC7se65iSfN8SsSX3tFuZlgwQ6Rxtlpm5g0DAfdhT2mMRqNJmGXHTeickZxFdO esVslulx9fpp7YIOzet4iAm6sW7TtrwK/rxuezC+eNPDDqEfSlegs975UU0VAwl1jU gKG/HOmxDqcAP/MLW0Lk6mTHOOFOnFx8cnpHT1O8xdu51VLz97CxCMMzsCUP8A9ucR drOjVc6R7qnriYoua4p8406Ok5FTCS1kxHucXec0Rz/8WhIpB1hkkuSsS3e1Vtjt2l oP7KRe1doEQDTMBPoXLSn5Ibhrd/gbswThv9Pz0oyE9EgYUuPuuR0dxPTojgfIRnEw dctgOGJ94b4vfHvDtKgqsxKq3/reMLG39Se0Vlc1/awYJzhzM/CqsvMFxaw6XPMAPz Ywm9+DDLW8zwnhZiFFotZGMkMmTBLmw1w1oWTZVsRweRK2zSPuP74reDNvPKMrkooO 11PNtR+S2zYV7RzVhI6Wd79YLtA7q/LqQA8I5Rd2y3WO6xrGML01nIxeDtjaX36Njc XtuyhT5WXrpXgPdzbed3q+769rlXj08p5VgGGPjbic6fnOgNG7fzh+ZOCs8J7KMlHB hHKFYPy9FKh1d5mPwdcpgKR4= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id bf31de43; Tue, 1 Aug 2023 21:07:18 +0000 (UTC) From: Tomas Volf <wolf@wolfsden.cz> Date: Tue, 1 Aug 2023 22:53:10 +0200 Message-ID: <cover.1690922760.git.wolf@wolfsden.cz> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
Add support for unlocking root device via a key file
|
|
Message
Tomas Volf
Aug. 1, 2023, 8:53 p.m. UTC
When having an encrypted /boot, it is currently necessary to input a password twice, once for the /boot (so that grub can find its configuration) and later once more in order to actually unlock the / itself. It is not very user friendly and gets annoying quickly in more exotic setups. For example with / on RAID1 BTRFS, password needs to be entered 4 times. And even without that, for large encrypted arrays, password needs to be entered once per drive. The obvious solution to this is to just use --key-file option of the luksOpen command, however support for that was not implemented. This series adds that support. Another problem is where to store the key file, since it needs to be both present in the initrd, but it cannot be in the store (since that would make it world-readable, and you do not want that for an encryption key). Luckily for us, grub can load multiple initrds and merge them, so option to specify additional initrd (not from the store) is added as well. Since extlinux does not look like supporting encrypted /boot (and this new option should not be used for anything else), it was added only into into grub. Tomas Volf (2): mapped-devices: Allow unlocking by a key file gnu: bootloader: grub: Add support for loading an additional initrd doc/guix.texi | 32 +++++++++++++++++ gnu/bootloader.scm | 6 +++- gnu/bootloader/grub.scm | 6 ++-- gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 4 files changed, 83 insertions(+), 28 deletions(-) base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
Comments
Hi,
I can confirm, the patches work for me but as I'm still quite ignorant about Guile and Guix, examples would have helped a lot.
;; Use the UEFI variant of GRUB with the EFI System
;; Partition mounted on /boot/efi.
;; /root in /root/key-file.cpio refers to the
;; /dev/mapper/enc btrfs root subvolume and not the home of root.
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader-luks2)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)
(extra-initrd "/root/key-file.cpio")))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "e3746b32-8e74-43b0-a111-78c3ea4436cf"))
(target "enc")
(type (luks-device-mapping-with-options #:key-file "/key-file.bin")))))
The snipped from https://issues.guix.gnu.org/55723#0 also needed a some changes.
I had to swap line 2 with 3, I switched ext2 with btrfs and the different format for the uuid ticked me as well.
But now I have a booting system and the passphrase only gets asked for once.
Thanks,
Dominik
[1] full config.scm: https://paste.debian.net/1288436/