bug#55723: Full disk encryption with grub-efi and LUKS2

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#55723: Full disk encryption with grub-efi and LUKS2

From:	Lars-Dominik Braun
Subject:	bug#55723: Full disk encryption with grub-efi and LUKS2
Date:	Mon, 30 May 2022 12:07:47 +0200

Hi,

I followed the manual to manually install Guix with full disk encryption
using LUKS2 and PBKDF2. However this leaves me with an unbootable system,
stuck at Grub’s rescue prompt, because `grub-install` apparently does
not know how to detect a LUKS2 target and therefore does not include
the modules required to open the encrypted volume in the EFI image. See
[1].

I managed to manually create a core.img with the help of ArchLinux’
Wiki[2] (see also [3]), boot into the system and reconfigure with a
modified bootloader:

---snip---
(define install-grub-efi-mkimage
  "Create an Grub EFI image with included cryptomount support for luks2,
which grub-install does not handle yet."
  #~(lambda (bootloader efi-dir mount-point)
        (when efi-dir
            (let ((grub-mkimage (string-append bootloader "/bin/grub-mkimage"))
                  ;; Required modules, YMMV.
                  (modules (list "luks2" "part_gpt" "cryptodisk" 
"gcry_rijndael" "pbkdf2" "gcry_sha256" "ext2"))
                  (prefix (string-append mount-point "/boot/grub"))
                  ;; Different configuration required to set up a crypto
                  ;; device. Change crypto_uuid to match your output of
                  ;; `cryptsetup luksUUID /device`.
                  ;; XXX: Maybe cryptomount -a could work?
                  (config #$(plain-file "grub.cfg" "set 
crypto_uuid=755e547f78f44dc38dab58399e1780a6
cryptomount -u $crypto_uuid
set root=crypto0
set prefix=($root)/boot/grub
insmod normal
normal"))
                  (target-esp (if (file-exists? (string-append mount-point 
efi-dir))
                                  (string-append mount-point efi-dir)
                                  efi-dir)))
              (apply invoke (append
                             (list
                               grub-mkimage
                              "-p" prefix
                              "-O" "x86_64-efi"
                              "-c" config
                              "-o" (string-append target-esp 
"/EFI/Guix/grubx64.efi"))
                             modules))))))

(define grub-efi-bootloader-luks2
  (bootloader
    (inherit grub-efi-bootloader)
    (name 'grub-efi-luks2)
    (installer install-grub-efi-mkimage)))
---snap---

Supposedly there are also patches for grub-mkimage, but maybe we can
include a workaround like the above by default until then or remove the
section about LUKS2 entirely?

Cheers,
Lars

[1] https://logs.guix.gnu.org/guix/2022-05-27.log#111808
[2] https://wiki.archlinux.org/title/GRUB#LUKS2
[3] 
https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Manual_configuration_of_core_image_for_early_boot

[Prev in Thread]

Current Thread

[Next in Thread]

bug#55723: Full disk encryption with grub-efi and LUKS2, Lars-Dominik Braun <=
- bug#55723: Full disk encryption with grub-efi and LUKS2, Josselin Poiret, 2022/05/31
  - bug#55723: [PATCH] doc: Warn about LUKS2-encrypted boot not working with GRUB., Josselin Poiret, 2022/05/31

Prev by Date: bug#55537: Guix pull after many months fails: substitutes for git-minimal-2.36.1 failed
Next by Date: bug#55537: Guix pull after many months fails: substitutes for git-minimal-2.36.1 failed
Previous by thread: bug#55721: Low cache usage in the presence of grafts
Next by thread: bug#55723: Full disk encryption with grub-efi and LUKS2
Index(es):
- Date
- Thread