From patchwork Thu Jan 11 17:35:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58800 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DEDCC27BBE2; Thu, 11 Jan 2024 17:36:50 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BE83427BBE9 for ; Thu, 11 Jan 2024 17:36:49 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyM-0006bZ-IZ; Thu, 11 Jan 2024 12:36:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyL-0006b7-Fg for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyL-00037R-3j for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyI-0007of-IU for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file. References: In-Reply-To: Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499455629988 (code B ref 65002); Thu, 11 Jan 2024 17:36:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:35:56 +0000 Received: from localhost ([127.0.0.1]:33786 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyB-0007nb-Ol for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:56 -0500 Received: from wolfsden.cz ([37.205.8.62]:49792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007me-3w for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:51 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 0891F2502A6; Thu, 11 Jan 2024 17:35:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=WJjDmbiBzzUPgDXQxcJdKi+Dny3O1pPDPN+SnlwS+C87yviP0oTBjvh0Nsbsun5qn emKgysAVFf03M4044kGw3iXsPGE2w/9s1apegXWUr+vL6ubcxxJdzntGEx0G+sGoWs pxcAYlb7bbbkcqjorqU6Khe1arZT8vVN3S+Ks73hPieqc/iPkxuz9E4sFvL5vEtATl CR+xc1HBrB1hGNbqxYgHA4W5qfU3THhzHBmE5Vqkr5kl5MHfyUzG9kIbpvwXtzBuO1 rgjbmU+4rdR+MunsUM4BRFDwYn3xXdUdjBYIlqDnURQaJMoAoo9pofJN44cruenMxl cAP7Mwzc4AWU/BNoR3RcEWfPfyjVw/rnFQNOoXwUQVOeixTn+Rxjh7dTwic0wJFsBO 2s235sJGz04wVBJdtGEdfgM/bPTnuoSe8Rr6In9TdqC7chfmoL+w+thW6bZh7AEV30 KbqGAlGYvVx2F9zPD1z/nWk4b6RDpSI3jgTeIlxH/NIn+dkR208GpFbt2d24YjJHn7 2vne5NUfCH1wX00BBP+hfPQuE4eGG0XgPgKcJJTMGC9kJVgdjvsvypgn9CV7iBzEOa jiaAeXBh88RNbs+MKpf7oMjIZd4lpcjODd7iiCgd2wtmQ4bGGoUbKf5BK05W4EV9va rOellMOkcBiDquBKdqhgwTRA= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 676C72508A6; Thu, 11 Jan 2024 17:35:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994550; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=M/wLcrFBdIM5yCCABIetd1GkXv6Jr0zMiBU3tJyyDpYpxtOb3S+FxY3ml7kUi5j5r 9Kwqr5jODhtnB5MEJfb2FN0mXHZ0tKHhEw9W3HVlx353PgUWmRQj1eKVJAzLKiiFjV gKpxuZrcwDdJ1h4whamrYnHALFqD5YyOx6pt4uWbQr8sh53dZqcHRruIKMaDQn1EnB JR8LsRIQwpv5WyoD6mYGMzQVKuDM/zzrVMMfhk5RO2CsJdbPM3qPQ0UZnn5xDSLJQg 9GDVm5KKV5hBaOHQ2HSqU+MnI65H8tGchI893jtAXWWLIPRHiOv/wr+3/oTPI2MQG1 CyX8X4yQzzoqUgwVs1QIMsrldTVKIPOc5qB1V7XnAVZNpKwo6Zt5Fxer1DJbJmdi7T /lVSbtnMIbYgJnT25bBF8pzVarXPPJayIyVNJ1/YH8ESlN5OlN7XS6vNRkm4/fR9kM 3+FGE6QmrrVBScCGPqekK8syEr9NASJFTMpQwBFJp941Zz0JrrzA65XfY9iPpKlKU1 rF8hPuSWbGXzTtL9htU2R0evCdnX3+zfz5iTELSLQOu5+v6n60MdGn/tITAc9HZZNW 6Q81627WCg+e2CYo3JVMOX9LgOlmq1FxdWe9tIIzPIM8cDLM0ngXiFwfzTZjfhQxsZ yL+VtRLudFtLdnQ0tCONRc08= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:39 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Tomas Volf Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument. (luks-device-mapping-with-options): New procedure. * doc/guix.texi (Mapped Devices): Describe the new procedure. Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4 --- doc/guix.texi | 25 +++++++++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 67 insertions(+), 25 deletions(-) base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0 diff --git a/doc/guix.texi b/doc/guix.texi index 395545bed7..b1202f2182 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -123,6 +123,7 @@ Copyright @copyright{} 2023 Thomas Ieong@* Copyright @copyright{} 2023 Saku Laesvuori@* Copyright @copyright{} 2023 Graham James Addis@* +Copyright @copyright{} 2023 Tomas Volf@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -17992,6 +17993,30 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. This has an advantage of not requiring a password entry, so +it can be used (for example) to unlock RAID arrays automatically on +boot. If key file unlock fails, password unlock is attempted as well. +Key file is not stored in the store and needs to be available at the +given location at the time of the unlock attempt. + +@lisp +;; Following definition would be equivalent to running: +;; cryptsetup open --key-file /crypto.key /dev/sdb1 data +(mapped-device + (source "/dev/sdb1) + (target "data) + (type (luks-device-mapping-with-options + #:key-file "/crypto.key"))) +@end lisp +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..c19a818453 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." From patchwork Thu Jan 11 17:35:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58797 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5161127BBE9; Thu, 11 Jan 2024 17:36:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7D4C327BBEB for ; Thu, 11 Jan 2024 17:36:38 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyM-0006bt-W7; Thu, 11 Jan 2024 12:36:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyL-0006bG-Tj for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyL-00038N-Jz for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyJ-0007on-1R for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456030002 (code B ref 65002); Thu, 11 Jan 2024 17:36:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:00 +0000 Received: from localhost ([127.0.0.1]:33788 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyF-0007no-Ca for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49794) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007mg-3s for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id CD83825082E; Thu, 11 Jan 2024 17:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=I2ykNlxs+wMdSCoE0C7V8oiJwhCFaJcHW9on3u9jGx6si4H0gOri9q7/RG5/hTzdF 6G3yd1uYCZeCtnwaYEOay9s13sUzb04Pu1jYn2dNY545924rXP1DsS/uvebfC7LAPe 04E6zDl50bHbsrnatsjLSXSGrco3slFpfdxciybQCsokIOtiOK+VBnrJu4967Ozhes scklJhDfCWUylsSlEF+dP78tgqEbrZyPxvP7m7FhzJ/rilwkDjeusgjhKc7ZR1i8q5 BjkARrGLIEW5Obws6gbrfFWMK/3hzVbSJGF7Rj0pLdY6DtD+L8XPo2gVmT1eSS0a6w iNhI2QnUvl55nJG0cXBtaXHJsAwj3kDfu8SAP5q017bXfzjJ5rtbVKbz57YY4txipX vI62IGp9C0/Q8jJ/MYPCsIRzLSymrBN8quzD/N0t+EnFh19dIYb0lmDnR0Qgp60d87 9tkkGRkSq0wduh2G1SGCmgg0R3A5QQngXrH/bcmZCZXFQDf4HGH2WUY4nScvQu5ueY NTyz8tXUQbpfvOjhpjWHJpbQ7wM5a+F30cmUSSc0DkOgRzhdM3VbfZQdMtt3uMCxyb 3JnjthnF2Vl9zdZPH+TGnA0tpl0JCTuLQVpAnW79U3raSYBfdYvUyZXotf78vWQEfI Xrv4i6TCe5T3jOp3qmqt+Meg= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 4B38624F361; Thu, 11 Jan 2024 17:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=I2ykNlxs+wMdSCoE0C7V8oiJwhCFaJcHW9on3u9jGx6si4H0gOri9q7/RG5/hTzdF 6G3yd1uYCZeCtnwaYEOay9s13sUzb04Pu1jYn2dNY545924rXP1DsS/uvebfC7LAPe 04E6zDl50bHbsrnatsjLSXSGrco3slFpfdxciybQCsokIOtiOK+VBnrJu4967Ozhes scklJhDfCWUylsSlEF+dP78tgqEbrZyPxvP7m7FhzJ/rilwkDjeusgjhKc7ZR1i8q5 BjkARrGLIEW5Obws6gbrfFWMK/3hzVbSJGF7Rj0pLdY6DtD+L8XPo2gVmT1eSS0a6w iNhI2QnUvl55nJG0cXBtaXHJsAwj3kDfu8SAP5q017bXfzjJ5rtbVKbz57YY4txipX vI62IGp9C0/Q8jJ/MYPCsIRzLSymrBN8quzD/N0t+EnFh19dIYb0lmDnR0Qgp60d87 9tkkGRkSq0wduh2G1SGCmgg0R3A5QQngXrH/bcmZCZXFQDf4HGH2WUY4nScvQu5ueY NTyz8tXUQbpfvOjhpjWHJpbQ7wM5a+F30cmUSSc0DkOgRzhdM3VbfZQdMtt3uMCxyb 3JnjthnF2Vl9zdZPH+TGnA0tpl0JCTuLQVpAnW79U3raSYBfdYvUyZXotf78vWQEfI Xrv4i6TCe5T3jOp3qmqt+Meg= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:40 +0100 Message-ID: <1f9c251cf379b579a0e04f5698da0bfdd62f2b90.1704994535.git.~@wolfsden.cz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Tomas Volf In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm (): Add extra-initrd field. * gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd field. --- doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++ gnu/bootloader.scm | 6 ++++- gnu/bootloader/grub.scm | 7 ++++-- 3 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b1202f2182..87d41e0aae 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41070,6 +41070,55 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +File name of an additional initrd to load during the boot. It may or +may not point to a file in the store, but the main use case is for +out-of-store files containing secrets. + +In order to be able to provide decryption keys for the LUKS device, they +need to be available in the initial ram disk. However they cannot be +stored inside the usual initrd, since it is stored in the store and +being a world-readable (as files in the store are) is not a desired +property for a initrd containing decryption keys. You can therefore use +this field to instruct GRUB to also load a manually created initrd not +stored in the store. + +For any use case not involving secrets, you should use regular initrd +(@pxref{operating-system Reference, @code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +After it is created, you can use it in this manner: + +@lisp +;; Operating system with encrypted boot partition +(operating-system + ... + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Load the initrd with a key file + (extra-initrd "/key-file.cpio"))) + (mapped-devices + (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "my-root") + (type (luks-device-mapping-with-options + ;; And use it to unlock the root device + #:key-file "/key-file.bin")))))) +@end lisp + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by GRUB. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index ba06de7618..f32e90e79d 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2022 Josselin Poiret ;;; Copyright © 2022 Reza Alizadeh Majd +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +281,9 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f))) ;string | #f (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..2723eda5f4 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2020 Stefan ;;; Copyright © 2022 Karl Hallsby ;;; Copyright © 2022 Denis 'GNUtoo' Carikli +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) From patchwork Thu Jan 11 17:35:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58801 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0157B27BBE2; Thu, 11 Jan 2024 17:36:57 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 005EB27BBE9 for ; Thu, 11 Jan 2024 17:36:56 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyO-0006gM-7d; Thu, 11 Jan 2024 12:36:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyM-0006bT-8U for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyM-000394-0Z for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:06 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyJ-0007ou-Fz for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456030009 (code B ref 65002); Thu, 11 Jan 2024 17:36:03 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:00 +0000 Received: from localhost ([127.0.0.1]:33790 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyG-0007nr-2e for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49808) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007mn-Qf for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id AC35625014F; Thu, 11 Jan 2024 17:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994552; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=qypg+/w3kAg3QCX1NZSjsHFD5uer3nnyELgx9QJ949cm6friju/r0DCPteMK5SqXP tEk2SIvLUyWbaFSl6h8+/Cb6JuH5agRxRtMprr+7Vr4uhcbNulzlSr/lwe5bU6RlhW RGYyuLYk+CWLC7X8LdT8ueaaRlb5hj/RcJ5MNq3Je8WERqb3O8uZZv5n/xfxz1yzfi rseGonDoRbV3b+NWIRex9+08NAsMmP9lltjYzK21w/TDY0rx5hVTT2PagFds6wtKNa nAsspmQBXM343d6EFtbIQXjdXV/1lOn/7csuwVfEEoMko4ove6RHrs3f9ZuAiLI/La 1Y8QbuR1iFKVJw89hSwJkevEfNrKXECXFJ4Kyo9EeOs7wX7Ih/FAw2H2pN3jL1nsfg 282YET8ogRpKTbeysoj6JQs5R8HNXNX8klnb7u3x2IuvkGQw6ysZRbcDOXtSbhLUsZ jFtdky9TqwIw1/fawZQoaufiF8I0n/5zLrb1bWcn+kIPrNNHrPge9JnE8nmFosmabc +2u+9Alni8kDQJ3cAJtBh4gM4Ig8cHKzZNDXStaXUUHJlas5v0w5tlTt+3UAzqOApG Ee1EqU1HYvbPLkxIdphXrKGaLrQqqd2VktqPufq4nJ35caRAi83sooIJXaRvlzn8cC 4jJq/pwNUOrq2BmCA6KhDCvs= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 2586D24F262; Thu, 11 Jan 2024 17:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994552; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=qypg+/w3kAg3QCX1NZSjsHFD5uer3nnyELgx9QJ949cm6friju/r0DCPteMK5SqXP tEk2SIvLUyWbaFSl6h8+/Cb6JuH5agRxRtMprr+7Vr4uhcbNulzlSr/lwe5bU6RlhW RGYyuLYk+CWLC7X8LdT8ueaaRlb5hj/RcJ5MNq3Je8WERqb3O8uZZv5n/xfxz1yzfi rseGonDoRbV3b+NWIRex9+08NAsMmP9lltjYzK21w/TDY0rx5hVTT2PagFds6wtKNa nAsspmQBXM343d6EFtbIQXjdXV/1lOn/7csuwVfEEoMko4ove6RHrs3f9ZuAiLI/La 1Y8QbuR1iFKVJw89hSwJkevEfNrKXECXFJ4Kyo9EeOs7wX7Ih/FAw2H2pN3jL1nsfg 282YET8ogRpKTbeysoj6JQs5R8HNXNX8klnb7u3x2IuvkGQw6ysZRbcDOXtSbhLUsZ jFtdky9TqwIw1/fawZQoaufiF8I0n/5zLrb1bWcn+kIPrNNHrPge9JnE8nmFosmabc +2u+9Alni8kDQJ3cAJtBh4gM4Ig8cHKzZNDXStaXUUHJlas5v0w5tlTt+3UAzqOApG Ee1EqU1HYvbPLkxIdphXrKGaLrQqqd2VktqPufq4nJ35caRAi83sooIJXaRvlzn8cC 4jJq/pwNUOrq2BmCA6KhDCvs= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:41 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Based on encrypted-home-os, this test verifies unlocking via a key file. * gnu/tests/install.scm (%encrypted-home-os-key-file), (%encrypted-home-os-key-file-source): New variables. (%test-encrypted-home-os-key-file): New exported variables. (%encrypted-home-installation-script): Generate initrd with a key file for unlocking the LUKS. Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636 --- gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index daa4647299..6794bca145 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -35,6 +35,7 @@ (define-module (gnu tests install) #:use-module (gnu packages admin) #:use-module (gnu packages bootloaders) #:use-module (gnu packages commencement) ;for 'guile-final' + #:use-module (gnu packages cpio) #:use-module (gnu packages cryptsetup) #:use-module (gnu packages disk) #:use-module (gnu packages emacs) @@ -67,6 +68,7 @@ (define-module (gnu tests install) %test-raid-root-os %test-encrypted-root-os %test-encrypted-home-os + %test-encrypted-home-os-key-file %test-encrypted-root-not-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os @@ -975,6 +977,18 @@ (define %encrypted-home-installation-script mkfs.ext4 -L root-fs /dev/vdb2 mkfs.ext4 -L home-fs /dev/mapper/the-home-device mount /dev/vdb2 /mnt + +# This script is used for both encrypted-home-os and encrypted-home-os-key-file +# tests. So we also add the keyfile here. +dd if=/dev/zero of=/key-file.bin bs=4096 count=1 +( cd /mnt; + echo /key-file.bin | cpio -oH newc > key-file.cpio + chmod 0000 key-file.cpio + mv /key-file.bin . +) +echo -n " %luks-passphrase " | \\ + cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin + mkdir /mnt/home mount /dev/mapper/the-home-device /mnt/home df -h /mnt /mnt/home @@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os (mlet* %store-monad ((images (run-install %encrypted-home-os %encrypted-home-os-source #:script - %encrypted-home-installation-script)) + %encrypted-home-installation-script + #:packages (list cpio))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os command "encrypted-home-os" #:initialization enter-luks-passphrase-for-home))))) + +;;; +;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key +;;; file. +;;; +(define-os-with-source (%encrypted-home-os-key-file + %encrypted-home-os-key-file-source) + (use-modules (gnu) (gnu tests)) + + (operating-system + (host-name "cipherhome") + (timezone "Europe/Prague") + (locale "en_US.utf8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets (list "/dev/vdb")) + (extra-initrd "/key-file.cpio"))) + (kernel-arguments '("console=ttyS0")) + + (mapped-devices (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "the-home-device") + (type (luks-device-mapping-with-options + #:key-file "/key-file.bin"))))) + (file-systems (cons* (file-system + (device (file-system-label "root-fs")) + (mount-point "/") + (type "ext4")) + (file-system + (device (file-system-label "home-fs")) + (mount-point "/home") + (type "ext4") + (dependencies mapped-devices)) + %base-file-systems)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %test-encrypted-home-os-key-file + (system-test + (name "encrypted-home-os-key-file") + (description + "Test functionality of an OS installed with a LUKS /home partition with +unlock done using a key file") + (value + (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file + %encrypted-home-os-key-file-source + #:script + %encrypted-home-installation-script + #:packages (list cpio))) + (command (qemu-command* images))) + (run-basic-test %encrypted-home-os-key-file + command "encrypted-home-os-key-file"))))) + ;;; ;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. From patchwork Thu Jan 11 17:35:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58799 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 40F0327BBE2; Thu, 11 Jan 2024 17:36:47 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 78C0027BBE9 for ; Thu, 11 Jan 2024 17:36:46 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyN-0006dB-NG; Thu, 11 Jan 2024 12:36:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyM-0006bs-Q6 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyM-00039V-I9 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:06 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyJ-0007p1-TJ for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456130017 (code B ref 65002); Thu, 11 Jan 2024 17:36:03 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:01 +0000 Received: from localhost ([127.0.0.1]:33792 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyG-0007o3-L7 for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49820) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy7-0007mp-G1 for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 5D20725082F; Thu, 11 Jan 2024 17:35:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994553; bh=iOcm3XSQu3Wcq9/ZZ6OC8iMlzYTIqZESK0ENVvjZq44=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dHwxNEFC6HxmZqIY9XzCd9zN0egIeJLepsGQu0Coiy36wsnDZcsZjPpmpsldFcod4 x8ivVIbFfivu1yGjIlTvDt2a2l7q+fgOSyH07pv6XjPbKJAduAt4JbgQwOI1tQe9X3 xArF1blWrea+cVnQTmOSAqsynzSG+RNxiBEnG0QHVSlo4btR1aokaVI1gJ8bF/JRJI a+H8iSSPQEqlm0PwrVKiDuJEGWDXftXWwQ6A7qRijiKbTXePFxvz34JUMVQ+d3LQnE lXLaM9usA9/GY/xT3vl/XE+vRAdU+7SlEVtWk8lOCIWrETpbX5ym4nBHztmirgBegA K8JiJXhNQ3o0N52KmLx931PksYNB/gK76qpheqwy2CMRXbdyhBnLCVN8W1i0JaVHig RXSftu+CJVvUIRiEtilViQwOOz7KEMoiXrKlQXbE3YueRoBJP2+83LevOC3F/Gw36A wDsjHMyC86sxn22DQFp3CHQmPoDgMPHPV/X0u27kcxY54z0EDt3mavi/FBL3x8GGtA a8t2VjbCXop2CRlVaBsUzGsTlg1h7DfIs5xx1K47iWzMKK4OM8bP867HMQE2OgFjoI NkK3BuHb4OuCY2C52AmFQ2qRJMGB17yI+NyknX/+OB86pPiMhCuvwfAg+q3xPxSwfx vq4MNit5he0s+rPcjVGWeVZI= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 00B1F24FFB2; Thu, 11 Jan 2024 17:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994553; bh=iOcm3XSQu3Wcq9/ZZ6OC8iMlzYTIqZESK0ENVvjZq44=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dHwxNEFC6HxmZqIY9XzCd9zN0egIeJLepsGQu0Coiy36wsnDZcsZjPpmpsldFcod4 x8ivVIbFfivu1yGjIlTvDt2a2l7q+fgOSyH07pv6XjPbKJAduAt4JbgQwOI1tQe9X3 xArF1blWrea+cVnQTmOSAqsynzSG+RNxiBEnG0QHVSlo4btR1aokaVI1gJ8bF/JRJI a+H8iSSPQEqlm0PwrVKiDuJEGWDXftXWwQ6A7qRijiKbTXePFxvz34JUMVQ+d3LQnE lXLaM9usA9/GY/xT3vl/XE+vRAdU+7SlEVtWk8lOCIWrETpbX5ym4nBHztmirgBegA K8JiJXhNQ3o0N52KmLx931PksYNB/gK76qpheqwy2CMRXbdyhBnLCVN8W1i0JaVHig RXSftu+CJVvUIRiEtilViQwOOz7KEMoiXrKlQXbE3YueRoBJP2+83LevOC3F/Gw36A wDsjHMyC86sxn22DQFp3CHQmPoDgMPHPV/X0u27kcxY54z0EDt3mavi/FBL3x8GGtA a8t2VjbCXop2CRlVaBsUzGsTlg1h7DfIs5xx1K47iWzMKK4OM8bP867HMQE2OgFjoI NkK3BuHb4OuCY2C52AmFQ2qRJMGB17yI+NyknX/+OB86pPiMhCuvwfAg+q3xPxSwfx vq4MNit5he0s+rPcjVGWeVZI= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:42 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches For testing that installation works, there is no need to spent 2000ms (the default) iterating while generating the encryption key. This commit therefore sets the iteration time to the lowest possible value, 1(ms). * gnu/tests/install.scm (%encrypted-root-installation-script): (%encrypted-home-installation-script): (%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat invocation. Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc --- gnu/tests/install.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 6794bca145..c5243f2ed9 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -755,7 +755,7 @@ (define %encrypted-root-installation-script set 1 boot on \\ set 1 bios_grub on echo -n " %luks-passphrase " | \\ - cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 - + cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 - echo -n " %luks-passphrase " | \\ cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device mkfs.ext4 -L my-root /dev/mapper/the-root-device @@ -970,7 +970,7 @@ (define %encrypted-home-installation-script set 1 bios_grub on echo -n " %luks-passphrase " | \\ - cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 - + cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 - echo -n " %luks-passphrase " | \\ cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device @@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script mkpart primary ext2 50M 1.6G \\ set 1 boot on \\ set 1 bios_grub on -echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 - echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root mkfs.ext4 -L my-root /dev/mapper/root mkfs.ext4 -L my-boot /dev/vdb2 From patchwork Thu Jan 11 17:35:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58796 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E3B4127BBE9; Thu, 11 Jan 2024 17:36:38 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2F12F27BBE2 for ; Thu, 11 Jan 2024 17:36:38 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyP-0006mh-JI; Thu, 11 Jan 2024 12:36:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyN-0006dN-Om for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:07 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyN-00039h-G9 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:07 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyK-0007pF-VE for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:04 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456130032 (code B ref 65002); Thu, 11 Jan 2024 17:36:04 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:01 +0000 Received: from localhost ([127.0.0.1]:33794 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyH-0007o6-0j for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:01 -0500 Received: from wolfsden.cz ([37.205.8.62]:49832) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy8-0007mr-6m for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:53 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 16ABE24E868; Thu, 11 Jan 2024 17:35:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994554; bh=k7sb1JsNiZc+etQaU04hA0hsNp9FzV26u147SNuPsqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=c/769cHv+w7ilLIgf+o2A5csRryG9jQHxGnCGQfTeW61DO/VHPQHaWniON/6+ku5e X0BuWiQzNfRe8OpzX557s8nJOWcpXZc2RtUtYmfN/WlmA2WzpSEkgXKcTVhPodIN+5 lhfe36R7bilcVQqtRQafNCOet71zL8MouxLBR1TeyvveNBo3n3RiYwKxAKcMAzYOs5 0pNerEGu0Cld0theEcF0UA2/YTw+GUehrif08Kiha7sDwjxzlsVgF3U+vXYkeELaof Uek0NYLlIYexJBEgT3vm1z4+0aQQlnk7mO+EkWYTLXqJa8F12ZbcGFpRS4tjmsXCV2 H0QgIlt1eVes4ZpilwnKTa+nFYsWcss8vZI/e+o2oNF1cpNtPxXvbHMy3lw5JGWd6r OK1+dm5PZTl4PvgSKaKCNrWrYBVTEzvuXzGZPuRvcOoDhewAFrTsSTNdpsUizGoF3P l3c1fuLH/yqBziBLUy7hd5OrYWaFAlnt3jadlRy2jUgwfUNJaM9HJokrPFn2awyfXB inmw2/rtNCYCWOY8RaU9lEOamShQRDCevM7T0QpwIDC5Zam1bQXxjt4x+YQMsUgYPH 5L2QWy+IR0B69YXduW3Ic3A/nMkfcRD9IFwGMxNH5SmRIuKq428oFzJf2hCLAfiiLX e2dgR0eRB/el0XiGW8kEcMs4= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id BC96A250174; Thu, 11 Jan 2024 17:35:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994553; bh=k7sb1JsNiZc+etQaU04hA0hsNp9FzV26u147SNuPsqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=NKzI5SiT8YY1k/C4S9/yIu6gPLV/UzpwbUoZj5SzIP8QBRlC9RdGPzlG3U7Lb3KBY /gyuAgPTrhw1yE9caEWxKyeDKJOVdNZ1jF9Cx0CPbxDfLuUR974j8MkmsVvOOiGkfw ATzD9pYkQvIptyo8l0sdzOVaLi+eZNs0jWKHbKZUfPwjNcSDRUAH/BsBiPBnGu6qNq j3rEL/zp7A7nd7gF0Q/9dOF/PlibmSAaDa1bfZYu5NPUqVQgbXZMR4l1d4Cn76tuzu 7p6Gy38xPa9+LC2tqeKIkPMJKwqf/d09u40VMERuorvOmUFE+TdZgWcydwcqUgKGpV vbwfDJm23CZzfhAqF/sNGyaRYVYsTxlSHjwtNcDrQwM1euTGuiWe3mP7LGHtBcC1vH oxwBDsHmCCyhWjFbLMuGlgcH7qtAt5HeWsaFEXFym16iM7Sz/yZR91alcA71kPvszq N86ZtgFcmuCiyTqJrkPGnciktDhuRU+CTh5XYwrhCpgscD3oEcQ5lR6eHJwBEBU0fQ TIV4uuMnG22B6yBPAWZFlcdwxBDlBtDpi2iothcdflloZw5LwrPD2Gxxl4qWwpgt4M 4/AaKYiRxsbzk5Mv2E1t84Y+AQlB9vRjdpYotMIPEaQyChEVZdj9OkSOuiOTvDdUWa ufNDtzzk0t5J6CIPs/JmWDTs= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:43 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches The installation no longer fits into the 1.6G, leading to a warning while running the test: guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt Followed by a failure: 93% [#################################################################### ]note: build failure may have been caused by lack of free disk space builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1 This commit increases the root partition to 2G, making the test pass again. * gnu/tests/install.scm (%encrypted-root-installation-script): Increase the root partition to 2G. Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843 --- gnu/tests/install.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index c5243f2ed9..f553eeaa3e 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -751,7 +751,7 @@ (define %encrypted-root-installation-script ls -l /run/current-system/gc-roots parted --script /dev/vdb mklabel gpt \\ mkpart primary ext2 1M 3M \\ - mkpart primary ext2 3M 1.6G \\ + mkpart primary ext2 3M 2G \\ set 1 boot on \\ set 1 bios_grub on echo -n " %luks-passphrase " | \\ From patchwork Thu Jan 11 17:35:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58798 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 32BE227BBE2; Thu, 11 Jan 2024 17:36:41 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7C11127BBEA for ; Thu, 11 Jan 2024 17:36:40 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyP-0006pM-Rf; Thu, 11 Jan 2024 12:36:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyO-0006gg-8d for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:08 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyO-00039t-0B for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:08 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyL-0007pM-F9 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz> Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456230044 (code B ref 65002); Thu, 11 Jan 2024 17:36:05 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:02 +0000 Received: from localhost ([127.0.0.1]:33796 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyH-0007oK-IA for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:02 -0500 Received: from wolfsden.cz ([37.205.8.62]:49846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy9-0007n8-2m for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:53 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id ED25D250997; Thu, 11 Jan 2024 17:35:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994554; bh=4W2mKhUSO+cz/tcGaBbvev3+QUVwWLGHOFB6itFgAnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=gJ1rpwmdOC/o46UrH2v8j+KFWpFC4kTIceYWWUGK8D15E1aFh7yCeLKYrm/FPBpP6 v/SdZO+j0lGXwFUgaevofax8Cc39fl9luBYvsJZvnHiyGJZZrZB4D6VDuNhvTsig/q WkJzpkp7rFWcRnUuY6Vstc1xsjbeg5eKLYlHBrd4SH1noSwCHC0RkGBf/xEioaq2uy BVJ3fGjuwQVFENU538R1MdiYtVP5ajyO8cfM25tWCToS6hF4iI7y2LJ2iJqSFBlXN+ g9qh7E52zuXoSyFwY7Qivm01W77tZZxo6T1/cz0NK6zqhtZ6+hHFdL7//9CE7ROQhM KEdFG8FCMqZI+PK6BVzaSnEqWbHth0uCu7pW0dEDhsPARRIYQWHU9JJ7rFy6vlmheq fcfC2ALKtiIYcMQ4qQ7EGjk3ayfWbLSFNKwwtedCUcj2OpeZzCbLiQqhkmxizfgMXi Zy+89OOH5QAvopJaDGxuvuJ8ygOyFujbH5r7dLhNfJoYgMCypK7XMzuUOo7zi3OEbG AKGSeMHxR1oum//UHGW6frxxKkcHWHp6Qi+1Wln3Cn47Doxbg8mMrmsIELsuEuGusa p7cg15e+5IO0ic/Pq0mIAhJ6ZzrHBAanZM3XsBtq9cA4GC2YDpaVv1OUN4SYYqvUDV L4D0VMqPTj2cIn+z8oYnLmd4= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 898A924E8ED; Thu, 11 Jan 2024 17:35:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994554; bh=4W2mKhUSO+cz/tcGaBbvev3+QUVwWLGHOFB6itFgAnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=gJ1rpwmdOC/o46UrH2v8j+KFWpFC4kTIceYWWUGK8D15E1aFh7yCeLKYrm/FPBpP6 v/SdZO+j0lGXwFUgaevofax8Cc39fl9luBYvsJZvnHiyGJZZrZB4D6VDuNhvTsig/q WkJzpkp7rFWcRnUuY6Vstc1xsjbeg5eKLYlHBrd4SH1noSwCHC0RkGBf/xEioaq2uy BVJ3fGjuwQVFENU538R1MdiYtVP5ajyO8cfM25tWCToS6hF4iI7y2LJ2iJqSFBlXN+ g9qh7E52zuXoSyFwY7Qivm01W77tZZxo6T1/cz0NK6zqhtZ6+hHFdL7//9CE7ROQhM KEdFG8FCMqZI+PK6BVzaSnEqWbHth0uCu7pW0dEDhsPARRIYQWHU9JJ7rFy6vlmheq fcfC2ALKtiIYcMQ4qQ7EGjk3ayfWbLSFNKwwtedCUcj2OpeZzCbLiQqhkmxizfgMXi Zy+89OOH5QAvopJaDGxuvuJ8ygOyFujbH5r7dLhNfJoYgMCypK7XMzuUOo7zi3OEbG AKGSeMHxR1oum//UHGW6frxxKkcHWHp6Qi+1Wln3Cn47Doxbg8mMrmsIELsuEuGusa p7cg15e+5IO0ic/Pq0mIAhJ6ZzrHBAanZM3XsBtq9cA4GC2YDpaVv1OUN4SYYqvUDV L4D0VMqPTj2cIn+z8oYnLmd4= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:44 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches The installation no longer fits into the 1.6G, leading to a warning while running the test: guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt Followed by a failure: 93% [#################################################################### ]note: build failure may have been caused by lack of free disk space builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1 This commit increases the root partition to 2G, making the test pass again. * gnu/tests/install.scm (%encrypted-root-installation-script): Increase the root partition to 2G. (%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the target size to 3G to accommodate for the larger root partition. Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360 --- gnu/tests/install.scm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index f553eeaa3e..f9e766e532 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -964,8 +964,8 @@ (define %encrypted-home-installation-script export GUIX_BUILD_OPTIONS=--no-grafts parted --script /dev/vdb mklabel gpt \\ mkpart primary ext2 1M 3M \\ - mkpart primary ext2 3M 1.6G \\ - mkpart primary 1.6G 2.0G \\ + mkpart primary ext2 3M 2G \\ + mkpart primary 2G 2.4G \\ set 1 boot on \\ set 1 bios_grub on @@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os %encrypted-home-os-source #:script %encrypted-home-installation-script - #:packages (list cpio))) + #:packages (list cpio) + #:target-size + (* 3000 MiB))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os command "encrypted-home-os" #:initialization enter-luks-passphrase-for-home))))) @@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file %encrypted-home-os-key-file-source #:script %encrypted-home-installation-script - #:packages (list cpio))) + #:packages (list cpio) + #:target-size + (* 3000 MiB))) (command (qemu-command* images))) (run-basic-test %encrypted-home-os-key-file command "encrypted-home-os-key-file")))))