bug#21843: Generated grub.cfg does not support encrypted roots

[Ludovic Courtès]

Andreas Enge <address@hidden> skribis:

> What is needed are the following two lines at the beginning of grub.cfg:
>
> insmod luks
> cryptomount -u 1aa...
>
> where 1aa... is the result of "cryptsetup luksUUID /dev/sda2".
>
> So the logic outlined in my previous message works:
> Determine the mapped-devices /dev/sdXY of type luks-device-mapping that
> lead to a file-system with needed-for-boot? set to #t.
> Using
>    cryptsetup luksUUID /dev/sdXY
> determine a corresponding uuid 12345...0.
> If any such mapped-device exists, add
>    insmod luks
> as the first line of grub.cfg. For any such mapped-device, add a line
>    cryptomount -u 12345...0
> right after that.

IIUC we don’t *have* to pass the UUID to ‘cryptomount’; we could also
pass the device name, in GRUB format, which would allow us to use the
same strategy as in ‘grub-root-search’ in (gnu system grub)… with the
difficulty that we’d have to be able to map Linux /dev node names to
GRUB device names.

Furthermore, to allow users to specify a LUKS UUID as the ‘source’ of
their ‘mapped-device’ form, as in:

   (mapped-device
     (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID
     (target "root")
     (type luks-device-mapping))

we’d have to extend <mapped-device-kind> with a method to resolve UUIDs
(in this case, to map a UUID to a /dev node.)

Thoughts?  Looks like more work than I initially thought.

Besides, I think we should only worry about the mapped device(s) that
back / and /boot, rather than any mapped device, no?

Thanks for looking into it,
Ludo’.