[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 0/3] Cryptomount detached headers

From: Glenn Washburn
Subject: Re: [PATCH v3 0/3] Cryptomount detached headers
Date: Fri, 29 Jul 2022 14:27:48 -0500

On Fri, 29 Jul 2022 20:56:18 +0200 (CEST) wrote:

> testing detached header failed:
> 1. built grub payload with following modules: ahci usb_keyboard part_msdos 
> part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1 
> gcry_sha256 gcry_sha512
> 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha512 -s 
> 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k 
> --luks2-keyslots-size=512k /dev/sda1
> (where --luks2-metadata-size=16k --luks2-keyslots-size=512k is optional, this 
> is just to minimize header size, but I also tested without).
> 3. from the grub cmd, i try to decrypt this partition using: cryptomount -H 
> /path/to/header (ahci0,msdos1)
> 4. I also tried luks1 encryption with detached header.
> whatever I try, I always get the same error:
> "no cryptodisk module can handle this device"
> Is this feature not 100% implemented yet, I saw people already verifying the 
> patches and would expect this to be working, so if yes, this seems like a bug.

This feature should be working in all cases, and if not there may be a
bug. I responded to your off-list email before seeing this one. I'll
repeat what I said there and let's continue this discussion on the list.

I see nothing obviously wrong with what you're doing, given the
information above. To further debug this, would you be able to send a
log of the serial output when the GRUB envvar debug is set to "all"
while running the cryptomount command? If so, please send compressed in
a reply to this email on the list.

If you can't because of hardware issues, would you be able to replicate
this in QEMU and grab the serial output from there? If you can boot the
system via other means, you should be able to use the raw disks (the
one with the LUKS volume and the other with the filesystem containing
the header file).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]