Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Colin Watson]

I'm carrying this old patch in Debian at the moment, which predates the
addition of LUKS support to GRUB:

Index: b/util/grub-mkconfig_lib.in
===================================================================
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -130,6 +130,15 @@
     esac
   done
 
+  if dmsetup status $device 2>/dev/null | grep -q 'crypt[[:space:]]$'; then
+    grub_warn \
+      "$device is a crypto device, which GRUB cannot read directly.  Some" \
+      "necessary modules may be missing from /boot/grub/grub.cfg.  You may" \
+      "need to list them in GRUB_PRELOAD_MODULES in /etc/default/grub.  See" \
+      "http://bugs.debian.org/542165 for details."
+    return 0
+  fi
+
   # Abstraction modules aren't auto-loaded.
   abstraction="`"${grub_probe}" --device $@ --target=abstraction`"
   for module in ${abstraction} ; do

Now, this is obviously wrong because it renders LUKS support mostly
non-functional even if you have GRUB_ENABLE_CRYPTODISK=y, so I'd like to
drop it, but that does mean that people who *don't* have
GRUB_ENABLE_CRYPTODISK=y will once again see no hint of what to do.

I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
begin with; it seems like a bit of a "do you want things to work? [y/N]"
option to me.  My preferred approach would be to delete the option.  If
there's some reason we can't do that, perhaps it would be worth checking
for whether it would have any effect if enabled, and if so print an
explanatory warning?

Thanks,

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

On 07.12.2013 14:27, Colin Watson wrote:
> I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
> begin with; it seems like a bit of a "do you want things to work? [y/N]"
> option to me.  My preferred approach would be to delete the option. 
Cryptodisk support is allowed to ask user for password which is not
possible for unattended systems.
E.g. in old config GRUB was looking for unifont under /usr/share. If you
make cryptodisk default a server doing this would stop in password
prompt rather than skipping unifont and going to text mode and
continuing booting.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Andrey Borzenkov]

В Sat, 7 Dec 2013 13:27:26 +0000
Colin Watson <cjwatson@ubuntu.com> пишет:

> I'm carrying this old patch in Debian at the moment, which predates the
> addition of LUKS support to GRUB:
> 
> Index: b/util/grub-mkconfig_lib.in
> ===================================================================
> --- a/util/grub-mkconfig_lib.in
> +++ b/util/grub-mkconfig_lib.in
> @@ -130,6 +130,15 @@
>      esac
>    done
>  
> +  if dmsetup status $device 2>/dev/null | grep -q 'crypt[[:space:]]$'; then
> +    grub_warn \
> +      "$device is a crypto device, which GRUB cannot read directly.  Some" \
> +      "necessary modules may be missing from /boot/grub/grub.cfg.  You may" \
> +      "need to list them in GRUB_PRELOAD_MODULES in /etc/default/grub.  See" \
> +      "http://bugs.debian.org/542165 for details."
> +    return 0
> +  fi
> +
>    # Abstraction modules aren't auto-loaded.
>    abstraction="`"${grub_probe}" --device $@ --target=abstraction`"
>    for module in ${abstraction} ; do
> 
> Now, this is obviously wrong because it renders LUKS support mostly
> non-functional even if you have GRUB_ENABLE_CRYPTODISK=y, so I'd like to
> drop it, but that does mean that people who *don't* have
> GRUB_ENABLE_CRYPTODISK=y will once again see no hint of what to do.
> 
> I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
> begin with; it seems like a bit of a "do you want things to work? [y/N]"
> option to me.  My preferred approach would be to delete the option.  If
> there's some reason we can't do that, perhaps it would be worth checking
> for whether it would have any effect if enabled, and if so print an
> explanatory warning?
> 

I think it came up recently and explanation was, in this case grub may
unintentionally end up to need more crypto devices than user expects and
thus waiting for passphrase on boot.

One reason it may happen is due to font handling. First, undocumented
GRUB_FONT which can theoretically point anywhere; second fallback
to /usr/share and similar if GRUB_FONT is not defined. So even if /boot
itself is unencrypted, you may suddenly pull in encrypted root.

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Colin Watson]

On Sat, Dec 07, 2013 at 02:49:45PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> On 07.12.2013 14:27, Colin Watson wrote:
> > I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
> > begin with; it seems like a bit of a "do you want things to work? [y/N]"
> > option to me.  My preferred approach would be to delete the option. 
> 
> Cryptodisk support is allowed to ask user for password which is not
> possible for unattended systems.
> E.g. in old config GRUB was looking for unifont under /usr/share. If you
> make cryptodisk default a server doing this would stop in password
> prompt rather than skipping unifont and going to text mode and
> continuing booting.

OK.  I get that we don't necessarily want to be noisy if it's just for
something optional.  But if somebody's /boot is on LUKS, it would be
nice to tell them how to enable support for that rather than just having
grub-mkconfig fail, right?  I think grub-install already gives specific
instructions, so we could do that in grub-mkconfig too.

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Chris Murphy]

On Dec 7, 2013, at 7:00 AM, Colin Watson <cjwatson@ubuntu.com> wrote:

> On Sat, Dec 07, 2013 at 02:49:45PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>> On 07.12.2013 14:27, Colin Watson wrote:
>>> I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
>>> begin with; it seems like a bit of a "do you want things to work? [y/N]"
>>> option to me.  My preferred approach would be to delete the option. 
>> 
>> Cryptodisk support is allowed to ask user for password which is not
>> possible for unattended systems.
>> E.g. in old config GRUB was looking for unifont under /usr/share. If you
>> make cryptodisk default a server doing this would stop in password
>> prompt rather than skipping unifont and going to text mode and
>> continuing booting.
> 
> OK.  I get that we don't necessarily want to be noisy if it's just for
> something optional.  But if somebody's /boot is on LUKS, it would be
> nice to tell them how to enable support for that rather than just having
> grub-mkconfig fail, right?  I think grub-install already gives specific
> instructions, so we could do that in grub-mkconfig too.

Encrypted /boot seems to be an edge case, at least for x86 UEFI, on which increasingly systems are shipping with a firmware that doesn't initialize USB at all in order shave off boot time. For these systems, as far as I know, GRUB, or any boot manager, can't initialize USB while boot services is still active. So we're looking at systems with no interactive means to manipulate a boot menu at boot time, or type in passwords. Instead it seems we need an application that modifies e.g. grubenv so the grub.cfg knows what to boot. 

Anyway, I'm uncertain about the benefit of encrypted /boot. If boot files are supposed to be protected from modification then that's what secure boot is for.


Chris Murphy

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2353 bytes --]

On 08.12.2013 00:42, Chris Murphy wrote:
> 
> On Dec 7, 2013, at 7:00 AM, Colin Watson <cjwatson@ubuntu.com> wrote:
> 
>> On Sat, Dec 07, 2013 at 02:49:45PM +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>>> On 07.12.2013 14:27, Colin Watson wrote:
>>>> I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
>>>> begin with; it seems like a bit of a "do you want things to work? [y/N]"
>>>> option to me.  My preferred approach would be to delete the option. 
>>>
>>> Cryptodisk support is allowed to ask user for password which is not
>>> possible for unattended systems.
>>> E.g. in old config GRUB was looking for unifont under /usr/share. If you
>>> make cryptodisk default a server doing this would stop in password
>>> prompt rather than skipping unifont and going to text mode and
>>> continuing booting.
>>
>> OK.  I get that we don't necessarily want to be noisy if it's just for
>> something optional.  But if somebody's /boot is on LUKS, it would be
>> nice to tell them how to enable support for that rather than just having
>> grub-mkconfig fail, right?  I think grub-install already gives specific
>> instructions, so we could do that in grub-mkconfig too.
> 
> Encrypted /boot seems to be an edge case, at least for x86 UEFI, on which increasingly systems are shipping with a firmware that doesn't initialize USB at all in order shave off boot time. For these systems, as far as I know, GRUB, or any boot manager, can't initialize USB while boot services is still active. So we're looking at systems with no interactive means to manipulate a boot menu at boot time, or type in passwords. Instead it seems we need an application that modifies e.g. grubenv so the grub.cfg knows what to boot. 
> 
> Anyway, I'm uncertain about the benefit of encrypted /boot. If boot files are supposed to be protected from modification then that's what secure boot is for.
> 
> 
That's all beside the original topic of this thread. This is unfortunate
that this becomes a tendency on this list to usurp threads for unrelated
comments.
And note that encrypted /boot as part of encrypted / is easier to manage
in some cases
> Chris Murphy
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Colin Watson]

On Sat, Dec 07, 2013 at 04:42:02PM -0700, Chris Murphy wrote:
> Encrypted /boot seems to be an edge case, at least for x86 UEFI
[...]

GRUB supports many platforms; an issue with a single one, even if it's
common, doesn't in general mean we shouldn't take straightforward
measures to improve things for others.

-- 
Colin Watson                                       [cjwatson@ubuntu.com]

Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?

[Chris Murphy]

On Dec 9, 2013, at 4:37 AM, Colin Watson <cjwatson@ubuntu.com> wrote:

> On Sat, Dec 07, 2013 at 04:42:02PM -0700, Chris Murphy wrote:
>> Encrypted /boot seems to be an edge case, at least for x86 UEFI
> [...]
> 
> GRUB supports many platforms; an issue with a single one, even if it's
> common, doesn't in general mean we shouldn't take straightforward
> measures to improve things for others.

Fair enough.


Chris Murphy