Re: [PATCH v3 0/3] Cryptomount detached headers

From: brutser@perso.be
To: grub-devel@gnu.org
Cc: dkiper@net-space.pl, ps@pks.im
Subject: Re: [PATCH v3 0/3] Cryptomount detached headers
Date: Fri, 29 Jul 2022 22:01:17 +0200 (CEST)	[thread overview]
Message-ID: <ea-mime-62e43c8d-1ceb-3a4b7a27@www.mailo.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 3636 bytes --]

Hi Glenn, 

To explain in more detail how I run my tests, because the whole picture can give you a better understanding as to why it fails with me:

1. As grub payload is used for coreboot, I first build coreboot for the system (default build, nothing special).

2. To build grub:

git clone https://git.savannah.gnu.org/git/grub.git

./bootstrap

./autogen.sh

./configure --with-platform=coreboot --disable-werror

make

3. Change modules in Makefile to match the ones I wrote earlier.

4. make default_payload.elf

5. Installation debian (expert install)

6. Encrypt partition

cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda1

or LUKS1:

cryptsetup luksFormat --cipher aes-xts-plain64 --hash=sha256 --key-size=512 --header /path/to/header --type luks1 /dev/sda1

7. Create necessary logical volumes and start installation debian

8. add crypttab, copy the header and keyfiles to target system.

This exact same setup works fine with grub 2.04 and john lane's patches: https://grub.johnlane.ie/ (obviously only LUKS1 support).

I will try to debug, not really experience with that, but will try to figure it out.

Van: Glenn Washburn <development@efficientek.com>
Aan: brutser@perso.be
Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
Datum: 29/07/2022 21:27:48 Europe/Paris
Cc: grub-devel@gnu.org;
   dkiper@net-space.pl;
   ps@pks.im

On Fri, 29 Jul 2022 20:56:18 +0200 (CEST)
brutser@perso.be wrote:

> 
> testing detached header failed:
> 
> 
> 
> 1. built grub payload with following modules: ahci usb_keyboard part_msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512
> 
> 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda1
> 
> (where --luks2-metadata-size=16k --luks2-keyslots-size=512k is optional, this is just to minimize header size, but I also tested without).
> 
> 3. from the grub cmd, i try to decrypt this partition using: cryptomount -H /path/to/header (ahci0,msdos1)
> 
> 
> 
> 4. I also tried luks1 encryption with detached header.
> 
> 
> 
> whatever I try, I always get the same error:
> 
> "no cryptodisk module can handle this device"
> 
> 
> 
> Is this feature not 100% implemented yet, I saw people already verifying the patches and would expect this to be working, so if yes, this seems like a bug.

This feature should be working in all cases, and if not there may be a
bug. I responded to your off-list email before seeing this one. I'll
repeat what I said there and let's continue this discussion on the list.

I see nothing obviously wrong with what you're doing, given the
information above. To further debug this, would you be able to send a
log of the serial output when the GRUB envvar debug is set to "all"
while running the cryptomount command? If so, please send compressed in
a reply to this email on the list.

If you can't because of hardware issues, would you be able to replicate
this in QEMU and grab the serial output from there? If you can boot the
system via other means, you should be able to use the raw disks (the
one with the LUKS volume and the other with the filesystem containing
the header file).

Glenn

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[-- Attachment #2: Type: text/html, Size: 4396 bytes --]