grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 0/3] Cryptomount detached headers

From: brutser
Subject: Re: [PATCH v3 0/3] Cryptomount detached headers
Date: Tue, 2 Aug 2022 01:47:57 +0200 (CEST)

Debian 11.4 for all the testing.
as i said, i execute shell during installation, then simply enter the commands I wrote earlier:

cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /root/header.bin --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda2
cryptsetup luksOpen --header /root/header.bin /dev/sda2 sda2crypt
pvcreate /dev/mapper/sda2crypt
vgcreate testvg /dev/mapper/sda2crypt
lvcreate -L 2G -n root testvg

- continue install debian 11.4
- chroot into system
- copy header
- populate crypttab etc.

this whole process works 100% fine with grub 2.04 and luks1 as i said before...



Van: Glenn Washburn <development@efficientek.com>
Aan: brutser--- via Grub-devel <grub-devel@gnu.org>
Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
Datum: 02/08/2022 01:24:47 Europe/Paris
Cc: brutser@perso.be;
   dkiper@net-space.pl;
   ps@pks.im

On Tue, 2 Aug 2022 00:21:09 +0200 (CEST)
brutser--- via Grub-devel <grub-devel@gnu.org> wrote:

> Glenn,
>
>
>
> Still resorted to screenshots for the debug (with the added dprintf):
>
>
>
> https://imgur.com/a/YkVMdBe

Ok, that confirms that the luks2 module is loaded and that the scan is
happening. Based on the output I think luks2_read_header must be
failing. That means that either disk reads are failing, which doesn't
seem like the case, the disk read hook is failing or the LUKS2 magic
bytes are not what they should be.

Have you verified that after creating the volume and header file that
cryptsetup/dm can open the volume successfully?

What architecture and endianness is the machine you're running
cryptsetup on and what is it for the one GRUB is running on?

To test the read hook, add 'grub_dprintf("luks2", "read hook
successed");' just before the last return statement in the function
cryptodisk_read_hook in grub-core/disk/cryptodisk.c.

Glenn

>
>
>
> Van: Glenn Washburn <development@efficientek.com>
> Aan: brutser--- via Grub-devel <grub-devel@gnu.org>
> Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
> Datum: 01/08/2022 22:50:27 Europe/Paris
> Cc: brutser@perso.be;
>    dkiper@net-space.pl;
>    ps@pks.im
>
> On Sat, 30 Jul 2022 11:54:32 +0200 (CEST)
> brutser--- via Grub-devel <grub-devel@gnu.org> wrote:
>
> > Glenn,
> >
> >
> >
> > As I had no idea how to get the debug logs from qemu, I made screenshots, find them attached. As this is probably something I am doing wrong, I hope it shows from the logs.
> >
> > https://imgur.com/a/rAlfZ77
>
> Getting the output to go to serial depends on the target. For i386
> using seabios, use "-fw_cfg name=etc/sercon-port,string=0 -serial
> stdio".
>
> Unfortunately, I'm now seeing that there are no debug log messages
> in the luks2 module that would be shown in this case. How about putting
> the line 'grub_dprintf("entering luks_scan");' at the start of the
> function luks2_scan in grub-core/disk/luks2.c and then recompiling and
> getting the output?
>
> Glenn
>
>
> >
> > Van: Glenn Washburn <development@efficientek.com>
> > Aan: brutser@perso.be
> > Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
> > Datum: 29/07/2022 21:27:48 Europe/Paris
> > Cc: grub-devel@gnu.org;
> >    dkiper@net-space.pl;
> >    ps@pks.im
> >
> > On Fri, 29 Jul 2022 20:56:18 +0200 (CEST)
> > brutser@perso.be wrote:
> >
> > >
> > > testing detached header failed:
> > >
> > >
> > >
> > > 1. built grub payload with following modules: ahci usb_keyboard part_msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512
> > >
> > > 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda1
> > >
> > > (where --luks2-metadata-size=16k --luks2-keyslots-size=512k is optional, this is just to minimize header size, but I also tested without).
> > >
> > > 3. from the grub cmd, i try to decrypt this partition using: cryptomount -H /path/to/header (ahci0,msdos1)
> > >
> > >
> > >
> > > 4. I also tried luks1 encryption with detached header.
> > >
> > >
> > >
> > > whatever I try, I always get the same error:
> > >
> > > "no cryptodisk module can handle this device"
> > >
> > >
> > >
> > > Is this feature not 100% implemented yet, I saw people already verifying the patches and would expect this to be working, so if yes, this seems like a bug.
> >
> > This feature should be working in all cases, and if not there may be a
> > bug. I responded to your off-list email before seeing this one. I'll
> > repeat what I said there and let's continue this discussion on the list.
> >
> > I see nothing obviously wrong with what you're doing, given the
> > information above. To further debug this, would you be able to send a
> > log of the serial output when the GRUB envvar debug is set to "all"
> > while running the cryptomount command? If so, please send compressed in
> > a reply to this email on the list.
> >
> > If you can't because of hardware issues, would you be able to replicate
> > this in QEMU and grab the serial output from there? If you can boot the
> > system via other means, you should be able to use the raw disks (the
> > one with the LUKS volume and the other with the filesystem containing
> > the header file).
> >
> > Glenn
> >
> >
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> >
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]