bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#55723: Full disk encryption with grub-efi and LUKS2

From: Josselin Poiret
Subject: bug#55723: Full disk encryption with grub-efi and LUKS2
Date: Tue, 31 May 2022 12:44:43 +0200 
Hello Lars,

Lars-Dominik Braun <lars@6xq.net> writes:

> Hi,
>
> I followed the manual to manually install Guix with full disk encryption
> using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
> stuck at Grub’s rescue prompt, because `grub-install` apparently does
> not know how to detect a LUKS2 target and therefore does not include
> the modules required to open the encrypted volume in the EFI image. See
> [1].
>
> I managed to manually create a core.img with the help of ArchLinux’
> Wiki[2] (see also [3]), boot into the system and reconfigure with a
> modified bootloader:
>
> [...]
>
> Supposedly there are also patches for grub-mkimage, but maybe we can
> include a workaround like the above by default until then or remove the
> section about LUKS2 entirely?

Thank you for posting this bug and sorry for taking so long with this.
I'd suggest that we instead add a warning that `/boot/` must be
unencrypted for LUKS2+GRUB to work for now, possibly pointing to this
bug.

Let me explain the whole situation so that we have good summary of the
LUKS2+GRUB situation:

* GRUB the bootloader itself supports unlocking LUKS2 cryptodisks, with
  its `luks2` module, that we load via `insmod luks2` in the grub.cfg.
  It doesn't contain support for Argon2i yet, so only the PBKDF2 key
  derivation function can be used, which is unfortunately not the
  default for cryptsetup.

* Now, while the `luks2` module lets you unlock your disk, you have the
  usual chicken-and-egg problem: GRUB modules are stored in
  /boot/grub/.  If this resides on a LUKS2 drive, then you'd be out of
  luck!  However, this is a common issue with bootloaders, and GRUB
  allows embedding modules inside its own image, so that some modules
  are preloaded.  You can either create the image manually using
  grub-mkimage, or grub-install can take care of it for you, by
  detecting which modules should be embedded using a user-space version
  of GRUB.  This is where the LUKS2 support isn't finished yet: the
  userspace utilities don't recognize LUKS2, and will thus not try to
  include luks2 and friends if /boot/grub/ is on such a device.

The crux of the issue is that when running in user-space, GRUB cheats by
"pretending" to mount the device itself (called cheatmounting), and
actually relays all reads to the underlying dm-crypt device!  For LUKS1,
this works well, but LUKS2 can have multiple keyslots and data segments,
each with different algorithms, and since we don't know which keyslot
was used to unlock the device, we won't know which GRUB crypto modules
to include.  My approach at [1] is to ask device-mapper directly, but
there are also other patches trying various other methods, and the
consensus now seems to be that each patch does one thing well and that
we should combine all of the good parts.

In any case, I can send a documentation patch to warn about the current
situation later today.

[1] https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00076.html

Best,
-- 
Josselin Poiret
reply via email to
[Prev in Thread] Current Thread [Next in Thread]