GNU bug report logs - #21843
Generated grub.cfg does not support encrypted roots

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Fri, 6 Nov 2015 15:53:02 UTC

Severity: important

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 21843 in the body.
You can then email your comments to 21843 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Fri, 06 Nov 2015 15:53:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 06 Nov 2015 15:53:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: bug-guix <at> gnu.org
Subject: Generated grub.cfg does not support encrypted roots
Date: Fri, 06 Nov 2015 16:52:34 +0100
As reported by 宋文武 at
<https://lists.gnu.org/archive/html/guix-devel/2015-11/msg00096.html>:

  Follow the manual to setup encryted root, using the desktop.scm
  template, but
  at the final step, it failed with:

    Path '/mnt/boot/grub' is not readable by GRUB on boot.
    Installation is impossible. Aborting.

    (can be reproduced by `grub-install /dev/sdb --boot-directory
  /mnt/boot')

  After search, it seems that an un-encrypted boot partition is needed:

    https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition

  So, I run fdisk to add a boot partiotion, finally install finished!

  But it can't boot, I have to mount the encrypted root in Grub's cmdline:

    insmod cryptodisk
    insmod luks
    cryptomount hd0,msdos2

Ludo’.




Severity set to 'important' from 'normal' Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 29 Feb 2016 14:25:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Tue, 08 Mar 2016 19:22:02 GMT) Full text and rfc822 format available.

Message #10 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Tue, 8 Mar 2016 20:21:04 +0100
I tried the installation with unencrypted /boot, encrypted / using the
following snippet in the configuration file:
  (bootloader (grub-configuration (device "/dev/sda")))
  (mapped-devices (list (mapped-device
                         (source "/dev/sda2")
                         (target "root")
                         (type luks-device-mapping))))
  (file-systems (cons* (file-system
                        (device "/dev/mapper/root")
                        (title 'device)
                        (mount-point "/")
                        (type "ext4")
                        (needed-for-boot? #t))
                       (file-system
                         (device "boot")
                         (title 'label)
                         (mount-point "/boot")
                         (type "ext4")
                         (needed-for-boot? #t))
                       %base-file-systems))

Grub did not start, as it did not find the kernel etc. in /gnu/store.

So I typed "c" at the grub menu (in text mode without the splash screen,
which also resides in /gnu/store), and issued the following two commands:
  insmod luks
  cryptomount hd0,msdos2

This prompted me for the password a first time. The "insmod cryptodisk" was
not necessary. There was a new device called "(crypto0)" now; "ls (crypto0)/"
showed, among others, the /gnu directory.

Now I still needed to define the kernel; running "boot" was not enough.

I executed
  configfile (hd0,msdos1)/grub/grub.cfg
and now obtained the normal grub menu (with the splash screen) and could now
boot as usual. I was prompted a second time for the password.
According to the grub.cfg, grub searches for the kernel by file name and
uses the device where it is found automatically as root. So the second time
it must also have searched (crypto0).


This can be automated; I just added the two lines
  insmod luks
  cryptomount hd0,msdos2
to the top of grub.cfg, and the next time everything worked out of the box
(with two password prompts: the first one in text mode before grub was visibly
started, then the grub splash screen appeared, then during the normal boot).

The only difficulty here is the mapping between the mapped-device /dev/sda2
and the grub device hd0,msdos2. We would need to determine this automatically
when creating the grub.cfg during the call to "guix system init".


Maybe UUIDs can help. The command
   crytsetup luksUUID /dev/sda2
returns a hex string with dashes, in my case 1aa...-...
This could be run during "guix system init" with the source field of
mapped-device.
The grub manual at:
  https://www.gnu.org/software/grub/manual/html_node/Device-syntax.html#Device-syntax
mentions a device syntax such as
  (cryptouuid/123456789abcdef0123456789abcdef0)
I tried replacing
  cryptomount hd0,msdos2
by
  cryptomount cryptouuid/1aa...
(without the dashes), but this did not work.
The strange thing is that grub somehow knows this uuid; when I type
   cryptomount hd0,msdos2
I am presented with the prompt
   Enter passphrase for hd0,msdos2 (1aa...):

So I am stuck here.


A first tentative solution would be to look for mapped-devices of type
luks-device-mapping that correspond to file-systems with needed-for-boot?
set to #t, and then add the corresponding "cryptomount" lines to grub.cfg,
with the obvious mapping sda->hd0, sdb->hd1,..., and 1->msdos1, 2->msdos2
and so on.

This would not be perfect, but at least better than what we have now.

And the line "insmod luks" could be added unconditionally (or only in the
presence of a mapped-device of type luks-device-mapping).

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Tue, 08 Mar 2016 19:34:02 GMT) Full text and rfc822 format available.

Message #13 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Tue, 8 Mar 2016 20:33:09 +0100
What is needed are the following two lines at the beginning of grub.cfg:

insmod luks
cryptomount -u 1aa...

where 1aa... is the result of "cryptsetup luksUUID /dev/sda2".

So the logic outlined in my previous message works:
Determine the mapped-devices /dev/sdXY of type luks-device-mapping that
lead to a file-system with needed-for-boot? set to #t.
Using
   cryptsetup luksUUID /dev/sdXY
determine a corresponding uuid 12345...0.
If any such mapped-device exists, add
   insmod luks
as the first line of grub.cfg. For any such mapped-device, add a line
   cryptomount -u 12345...0
right after that.

To simplify the logic, we could also move the needed-for-boot? parameter
to mapped-device, or add such a parameter there.

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Thu, 10 Mar 2016 09:18:01 GMT) Full text and rfc822 format available.

Message #16 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Andreas Enge <andreas <at> enge.fr>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Thu, 10 Mar 2016 10:17:46 +0100
Andreas Enge <andreas <at> enge.fr> skribis:

> What is needed are the following two lines at the beginning of grub.cfg:
>
> insmod luks
> cryptomount -u 1aa...
>
> where 1aa... is the result of "cryptsetup luksUUID /dev/sda2".
>
> So the logic outlined in my previous message works:
> Determine the mapped-devices /dev/sdXY of type luks-device-mapping that
> lead to a file-system with needed-for-boot? set to #t.
> Using
>    cryptsetup luksUUID /dev/sdXY
> determine a corresponding uuid 12345...0.
> If any such mapped-device exists, add
>    insmod luks
> as the first line of grub.cfg. For any such mapped-device, add a line
>    cryptomount -u 12345...0
> right after that.

IIUC we don’t *have* to pass the UUID to ‘cryptomount’; we could also
pass the device name, in GRUB format, which would allow us to use the
same strategy as in ‘grub-root-search’ in (gnu system grub)… with the
difficulty that we’d have to be able to map Linux /dev node names to
GRUB device names.

Furthermore, to allow users to specify a LUKS UUID as the ‘source’ of
their ‘mapped-device’ form, as in:

   (mapped-device
     (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID
     (target "root")
     (type luks-device-mapping))

we’d have to extend <mapped-device-kind> with a method to resolve UUIDs
(in this case, to map a UUID to a /dev node.)

Thoughts?  Looks like more work than I initially thought.

Besides, I think we should only worry about the mapped device(s) that
back / and /boot, rather than any mapped device, no?

Thanks for looking into it,
Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Thu, 10 Mar 2016 09:49:01 GMT) Full text and rfc822 format available.

Message #19 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Thu, 10 Mar 2016 10:48:37 +0100
On Thu, Mar 10, 2016 at 10:17:46AM +0100, Ludovic Courtès wrote:
> IIUC we don’t *have* to pass the UUID to ‘cryptomount’; we could also
> pass the device name, in GRUB format

Yes, but my idea was that the uuid is something we can determine
at instantiation time. If the mapped device is /dev/sdd3, we can run
   (system* "cryptsetup" "luksUUID" "/dev/sdd3")
and obtain the uuid.

I suppose we could also use the grub device (hd3,msdos3) in this case,
but I do not know what is the mapping between /dev nodes and these devices,
and if it is actually a function that could be computed from the file name
in /dev only or not.

>    (mapped-device
>      (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID
>      (target "root")
>      (type luks-device-mapping))
> we’d have to extend <mapped-device-kind> with a method to resolve UUIDs
> (in this case, to map a UUID to a /dev node.)

We can also let the users do the work (and document this in the manual),
by having them supply all the informatin:

   (mapped-device
     (source "/dev/sdd3")
     (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44") ;LUKS UUID
     (target "root")
     (type luks-device-mapping)
     (needed-for-boot? #t))

> Besides, I think we should only worry about the mapped device(s) that
> back / and /boot, rather than any mapped device, no?

This could either be solved by determining which file systems have
needed-for-boot? #t and determine the corresponding mapped devices,
or by adding such a parameter for the mapped-device as in my suggestion
above.

Or we do it all automatically for / and /boot and drop the parameter
needed-for-boot? everywhere.

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Fri, 11 Mar 2016 08:46:01 GMT) Full text and rfc822 format available.

Message #22 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Andreas Enge <andreas <at> enge.fr>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Fri, 11 Mar 2016 09:45:07 +0100
Andreas Enge <andreas <at> enge.fr> skribis:

> On Thu, Mar 10, 2016 at 10:17:46AM +0100, Ludovic Courtès wrote:
>> IIUC we don’t *have* to pass the UUID to ‘cryptomount’; we could also
>> pass the device name, in GRUB format
>
> Yes, but my idea was that the uuid is something we can determine
> at instantiation time. If the mapped device is /dev/sdd3, we can run
>    (system* "cryptsetup" "luksUUID" "/dev/sdd3")
> and obtain the uuid.

Hmm yeah, but we don’t even do that for regular partitions.

> I suppose we could also use the grub device (hd3,msdos3) in this case,
> but I do not know what is the mapping between /dev nodes and these devices,
> and if it is actually a function that could be computed from the file name
> in /dev only or not.

‘grub-probe’ should know, I think.

>>    (mapped-device
>>      (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID
>>      (target "root")
>>      (type luks-device-mapping))
>> we’d have to extend <mapped-device-kind> with a method to resolve UUIDs
>> (in this case, to map a UUID to a /dev node.)
>
> We can also let the users do the work (and document this in the manual),
> by having them supply all the informatin:
>
>    (mapped-device
>      (source "/dev/sdd3")
>      (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44") ;LUKS UUID
>      (target "root")
>      (type luks-device-mapping)
>      (needed-for-boot? #t))

I think the goal of providing a UUID is to not have to worry about the
actual device name (which could change).

The ‘needed-for-boot?’ flag should be unnecessary because it can be
inferred from corresponding file systems, as is already the case.

>> Besides, I think we should only worry about the mapped device(s) that
>> back / and /boot, rather than any mapped device, no?
>
> This could either be solved by determining which file systems have
> needed-for-boot? #t and determine the corresponding mapped devices,
> or by adding such a parameter for the mapped-device as in my suggestion
> above.
>
> Or we do it all automatically for / and /boot and drop the parameter
> needed-for-boot? everywhere.

We keep it only in ‘file-system’, I think.

Anyway, sounds like quite a bit of work here.  :-)

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Wed, 16 Mar 2016 20:41:01 GMT) Full text and rfc822 format available.

Message #25 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Wed, 16 Mar 2016 21:40:00 +0100
On Thu, Mar 10, 2016 at 10:17:46AM +0100, Ludovic Courtès wrote:
> Furthermore, to allow users to specify a LUKS UUID as the ‘source’ of
> their ‘mapped-device’ form, as in:
>    (mapped-device
>      (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID
>      (target "root")
>      (type luks-device-mapping))
> we’d have to extend <mapped-device-kind> with a method to resolve UUIDs
> (in this case, to map a UUID to a /dev node.)

I just read a bit of the cryptsetup manual; we do not need to do the
resolution, in the above example we would have the line
   cryptomount -u cb67fc72-0d54-4c88-9d4b-b225f30b0f44
(as discussed previously; it works at least without the dashes, we can also
try to keep the dashes).
And then it should be possible to open the device with
   cryptsetup luksOpen UUID=cb67fc72-0d54-4c88-9d4b-b225f30b0f44 root
This looks for the given uuid in /dev/disk/by-uuid.

I wanted to give it a try with the installation image, but unfortunately it
does not contain the directory /dev/disk.

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Thu, 17 Mar 2016 13:15:02 GMT) Full text and rfc822 format available.

Message #28 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Thu, 17 Mar 2016 14:14:35 +0100
On Wed, Mar 16, 2016 at 09:40:00PM +0100, Andreas Enge wrote:
> I just read a bit of the cryptsetup manual; we do not need to do the
> resolution, in the above example we would have the line
>    cryptomount -u cb67fc72-0d54-4c88-9d4b-b225f30b0f44
> (as discussed previously; it works at least without the dashes, we can also
> try to keep the dashes).
> And then it should be possible to open the device with
>    cryptsetup luksOpen UUID=cb67fc72-0d54-4c88-9d4b-b225f30b0f44 root
> This looks for the given uuid in /dev/disk/by-uuid.
> 
> I wanted to give it a try with the installation image, but unfortunately it
> does not contain the directory /dev/disk.

I tried it out with an already installed (and reconfigured, but that should
not make a difference) GuixSD, and the above "cryptsetup" line works as well
(with the dashes).

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Sat, 16 Apr 2016 16:10:02 GMT) Full text and rfc822 format available.

Message #31 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Sat, 16 Apr 2016 18:09:35 +0200
ludo <at> gnu.org (Ludovic Courtès) skribis:

>     Path '/mnt/boot/grub' is not readable by GRUB on boot.
>     Installation is impossible. Aborting.
>
>     (can be reproduced by `grub-install /dev/sdb --boot-directory
>   /mnt/boot')

On this topic, see the story about ‘grub-probe’ at:

  https://lists.gnu.org/archive/html/help-guix/2016-01/msg00118.html

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Sun, 17 Apr 2016 23:30:02 GMT) Full text and rfc822 format available.

Message #34 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Andreas Enge <andreas <at> enge.fr>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Mon, 18 Apr 2016 01:29:22 +0200
ludo <at> gnu.org (Ludovic Courtès) skribis:

> Furthermore, to allow users to specify a LUKS UUID as the ‘source’ of
> their ‘mapped-device’ form, as in:
>
>    (mapped-device
>      (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44")) ;LUKS UUID
>      (target "root")
>      (type luks-device-mapping))
>
> we’d have to extend <mapped-device-kind> with a method to resolve UUIDs
> (in this case, to map a UUID to a /dev node.)

Commit ffba7d498d36618ad21af3961a1a685ae91bae57 makes it possible,
building on ‘find-partition-by-luks-uuid’ added in
a1ccefaa122df7c0045eda1fe6b65d83b65ed238.

(Tested on my system where /home is LUKS-encrypted.)

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Wed, 27 Apr 2016 21:00:02 GMT) Full text and rfc822 format available.

Message #37 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Andreas Enge <andreas <at> enge.fr>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Wed, 27 Apr 2016 22:58:59 +0200
[Message part 1 (text/plain, inline)]
Andreas Enge <andreas <at> enge.fr> skribis:

> What is needed are the following two lines at the beginning of grub.cfg:
>
> insmod luks
> cryptomount -u 1aa...

The attached patch does exactly that when the ‘mapped-device’ source is
a UUID, as is the case with the modified bare-bones.tmpl example:

[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/system.scm b/gnu/system.scm
index 768ca9c..da41ba6 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -210,6 +210,16 @@ as 'needed-for-boot'."
                  (string=? (file-system-device fs) target)))
           file-systems)))
 
+(define (file-system-mapped-device file-system devices)
+  "Return the mapped-device among DEVICES that backs FILE-SYSTEM, or #f."
+  (and (eq? 'device (file-system-title file-system))
+       (string-prefix? "/dev/mapper/" (file-system-device file-system))
+       (let ((name (string-drop (file-system-device file-system)
+                                (string-length "/dev/mapper/"))))
+         (find (lambda (md)
+                 (string=? (mapped-device-target md) name))
+               devices))))
+
 (define (operating-system-user-mapped-devices os)
   "Return the subset of mapped devices that can be installed in
 user-land--i.e., those not needed during boot."
@@ -674,6 +684,15 @@ listed in OS.  The C library expects to find it under
   "Return the file system that contains the store of OS."
   (store-file-system (operating-system-file-systems os)))
 
+(define (grub-config-for-store-file-system os)
+  (let ((md (file-system-mapped-device (operating-system-store-file-system os)
+                                       (operating-system-mapped-devices os))))
+    (if md
+        (let* ((type (mapped-device-type md))
+               (grub (mapped-device-kind-grub type)))
+          (grub (mapped-device-source md) (mapped-device-target md)))
+        '())))
+
 (define* (operating-system-grub.cfg os #:optional (old-entries '()))
   "Return the GRUB configuration file for OS.  Use OLD-ENTRIES to populate the
 \"old entries\" menu."
@@ -694,7 +713,8 @@ listed in OS.  The C library expects to find it under
                                    #~(string-append "--load=" #$system
                                                     "/boot")
                                    (operating-system-kernel-arguments os)))
-                           (initrd #~(string-append #$system "/initrd"))))))
+                           (initrd #~(string-append #$system "/initrd"))
+                           (extra-lines (grub-config-for-store-file-system os))))))
     (grub-configuration-file (operating-system-bootloader os)
                              store-fs entries
                              #:old-entries old-entries)))
diff --git a/gnu/system/examples/bare-bones.tmpl b/gnu/system/examples/bare-bones.tmpl
index 87e8d1e..b85593d 100644
--- a/gnu/system/examples/bare-bones.tmpl
+++ b/gnu/system/examples/bare-bones.tmpl
@@ -13,9 +13,13 @@
   ;; Assuming /dev/sdX is the target hard disk, and "my-root" is
   ;; the label of the target root file system.
   (bootloader (grub-configuration (device "/dev/sdX")))
+  (mapped-devices (list (mapped-device
+                         (source (uuid "cb67fc72-0d54-4c88-9d4b-b225f30b0f44"))
+                         (target "foo")
+                         (type luks-device-mapping))))
   (file-systems (cons (file-system
-                        (device "my-root")
-                        (title 'label)
+                        (device "/dev/mapper/foo")
+                        (title 'device)
                         (mount-point "/")
                         (type "ext4"))
                       %base-file-systems))
diff --git a/gnu/system/grub.scm b/gnu/system/grub.scm
index 45b46ca..60cc044 100644
--- a/gnu/system/grub.scm
+++ b/gnu/system/grub.scm
@@ -114,7 +114,9 @@
   (linux           menu-entry-linux)
   (linux-arguments menu-entry-linux-arguments
                    (default '()))          ; list of string-valued gexps
-  (initrd          menu-entry-initrd))     ; file name of the initrd as a gexp
+  (initrd          menu-entry-initrd)      ; file name of the initrd as a gexp
+  (extra-lines     menu-entry-extra-lines  ; list of string-valued gexps
+                   (default '())))
 
 
 ;;;
@@ -253,13 +255,14 @@ corresponding to old generations of the system."
 
   (define entry->gexp
     (match-lambda
-     (($ <menu-entry> label linux arguments initrd)
-      #~(format port "menuentry ~s {
+      (($ <menu-entry> label linux arguments initrd extra-lines)
+      #~(format port "menuentry ~s {~{~%  ~a~}
   ~a
   linux ~a/~a ~a
   initrd ~a
 }~%"
                 #$label
+                (list #$@extra-lines)
                 #$(grub-root-search store-fs
                                     #~(string-append #$linux "/"
                                                      #$linux-image-name))
@@ -268,22 +271,25 @@ corresponding to old generations of the system."
 
   (mlet %store-monad ((sugar (eye-candy config store-fs system #~port)))
     (define builder
-      #~(call-with-output-file #$output
-          (lambda (port)
-            #$sugar
-            (format port "
+      #~(begin
+          (use-modules (ice-9 format))
+
+          (call-with-output-file #$output
+            (lambda (port)
+              #$sugar
+              (format port "
 set default=~a
 set timeout=~a~%"
-                    #$(grub-configuration-default-entry config)
-                    #$(grub-configuration-timeout config))
-            #$@(map entry->gexp all-entries)
+                      #$(grub-configuration-default-entry config)
+                      #$(grub-configuration-timeout config))
+              #$@(map entry->gexp all-entries)
 
-            #$@(if (pair? old-entries)
-                   #~((format port "
+              #$@(if (pair? old-entries)
+                     #~((format port "
 submenu \"GNU system, old configurations...\" {~%")
-                      #$@(map entry->gexp old-entries)
-                      (format port "}~%"))
-                   #~()))))
+                        #$@(map entry->gexp old-entries)
+                        (format port "}~%"))
+                     #~())))))
 
     (gexp->derivation "grub.cfg" builder)))
 
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 450b473..ddb6c8d 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -22,7 +22,11 @@
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:autoload   (gnu packages cryptsetup) (cryptsetup)
+  #:autoload   (gnu build file-systems) (uuid->string)
   #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-34)
+  #:use-module (srfi srfi-35)
+  #:use-module (rnrs bytevectors)
   #:use-module (ice-9 match)
   #:export (mapped-device
             mapped-device?
@@ -34,6 +38,7 @@
             mapped-device-kind?
             mapped-device-kind-open
             mapped-device-kind-close
+            mapped-device-kind-grub
 
             device-mapping-service-type
             device-mapping-service
@@ -59,7 +64,9 @@
   mapped-device-kind?
   (open      mapped-device-kind-open)             ;source target -> gexp
   (close     mapped-device-kind-close             ;source target -> gexp
-             (default (const #~(const #f)))))
+             (default (const #~(const #f))))
+  (grub      mapped-device-kind-grub              ;source target -> gexp list
+             (default #f)))                       ;| #f
 
 
 ;;;
@@ -121,10 +128,21 @@
   #~(zero? (system* (string-append #$cryptsetup "/sbin/cryptsetup")
                     "close" #$target)))
 
+(define (grub-luks-device source target)
+  (if (bytevector? source)
+      (list "insmod luks"
+            (string-append "cryptomount -u " (uuid->string source)))
+      (raise
+       (condition
+        (&message
+         (message (format #f "LUKS mapped-device source must be a UUID: ~s"
+                          source)))))))
+
 (define luks-device-mapping
   ;; The type of LUKS mapped devices.
   (mapped-device-kind
    (open open-luks-device)
-   (close close-luks-device)))
+   (close close-luks-device)
+   (grub grub-luks-device)))
 
 ;;; mapped-devices.scm ends here
[Message part 3 (text/plain, inline)]
A good way to test it (not as root!) is:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix system reconfigure gnu/system/examples/bare-bones.tmpl
/gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system
/gnu/store/9l0dfdxj7ybck63r9zrgnxbyryn6f0kh-grub.cfg
/gnu/store/myrc5cinlhpj2yilhzv5y0szz2ax2i6z-grub-2.00
guix system: error: symlink: Mankas permeso: "/var/guix/profiles/system-192-link"
--8<---------------cut here---------------end--------------->8---

The generated grub.cfg whose name appears above has this entry:

--8<---------------cut here---------------start------------->8---
menuentry "GNU with Linux-Libre 4.5.2 (beta)" {
  insmod luks
  cryptomount -u cb67fc72-0d54-4c88-9d4b-b225f30b0f44
  search --file --set /gnu/store/dd2qbz6a5pszwnzay3s8mm9yim531nz0-linux-libre-4.5.2/bzImage
  linux /gnu/store/dd2qbz6a5pszwnzay3s8mm9yim531nz0-linux-libre-4.5.2/bzImage --root=/dev/mapper/foo --system=/gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system --load=/gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system/boot
  initrd /gnu/store/fm8lbh7r3j05bkd6kbnc9xwph6rmy0rz-system/initrd
}
--8<---------------cut here---------------end--------------->8---

Now, I haven’t tested this in reality and would appreciate help here.

We may have to add the patch to ‘guix-devel’ in (gnu packages
package-management) to test it.

Ludo’.

Added tag(s) patch. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Sun, 01 May 2016 21:30:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Sun, 01 May 2016 22:09:02 GMT) Full text and rfc822 format available.

Message #42 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Mon, 02 May 2016 00:07:39 +0200
ludo <at> gnu.org (Ludovic Courtès) skribis:

> Now, I haven’t tested this in reality and would appreciate help here.

I’m in the process of implementing automated tests for the installation
process.

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Wed, 26 Oct 2016 15:33:01 GMT) Full text and rfc822 format available.

Message #45 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Ludovic Courtès <ludo <at> gnu.org>, 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Wed, 26 Oct 2016 07:56:12 +0100
On 01/05/16 23:07, Ludovic Courtès wrote:
> ludo <at> gnu.org (Ludovic Courtès) skribis:
>
>> Now, I haven’t tested this in reality and would appreciate help here.
>
> I’m in the process of implementing automated tests for the installation
> process.

I've been looking at this bug, as I've got a new laptop which I would 
like to install GuixSD on, and I would like to use an encrypted root 
partition.

Regarding the system tests, it looks to me like they do exist now, but 
so far I've been unable to run them (I get an error related to hash 
mismatch of module-import-compiled, I want to try getting it to 
fallback, but first I need to work out where Guix is being invoked...).





Information forwarded to bug-guix <at> gnu.org:
bug#21843; Package guix. (Wed, 23 Nov 2016 20:22:01 GMT) Full text and rfc822 format available.

Message #48 received at 21843 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Christopher Baines <mail <at> cbaines.net>
Cc: 21843 <at> debbugs.gnu.org
Subject: Re: bug#21843: Generated grub.cfg does not support encrypted roots
Date: Wed, 23 Nov 2016 21:21:05 +0100
Hello!

(And apologies Christopher for not replying earlier!)

I’m happy to report that this issue is finally fixed in
f7f292d359e0eb77617f4ecf6b3164f868ec1784!

The complete list of relevant commits is this:

--8<---------------cut here---------------start------------->8---
f7f292d * install: Enable "cryptodisk" handling in GRUB.
b7d408e * mapped-devices: Use 'cryptsetup-static' in 'luks-device-mapping'.
fe93383 * marionette: Add 'marionette-screen-text' using OCR.
f25c9eb * marionette: Delay synchronization with the host's REPL.

[...]

106b389 * gnu: Add 'cryptsetup-static'.
01f94cc * gnu: Add 'lvm2-static'.
10da75d * gnu: grub: Add dependency on LVM2.
--8<---------------cut here---------------end--------------->8---

Without LVM2 support, ‘grub-install’ and ‘grub-probe’ would fail to
determine what to do with the LUKS-encrypted partition.

When using ‘cryptsetup’ instead of ‘cryptsetup-static’, we were pulling
the whole closure of ‘cryptsetup’ (105 MiB) in the initrd, which was
clearly unreasonable.   ;-)

The guts was to come up with a test strategy that would work.  The
difficulty here is that we have to enter a passphrase early one in GRUB,
and then once again once the kernel has booted, when ‘cryptsetup’ is
invoked from the initrd.  At this point, we have no good communication
channel with the hosts, hence the screenshots with OCR!  (Idea stolen
from NixOS’ own tests.)

You can run the test with:

  make check-system TESTS=encrypted-root-os

Further testing welcome!

Ludo’.




Added tag(s) fixed. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Wed, 23 Nov 2016 20:22:02 GMT) Full text and rfc822 format available.

bug closed, send any further explanations to 21843 <at> debbugs.gnu.org and ludo <at> gnu.org (Ludovic Courtès) Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Wed, 23 Nov 2016 20:22:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 22 Dec 2016 12:24:03 GMT) Full text and rfc822 format available.

This bug report was last modified 7 years and 98 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.