Hi Glenn, To explain in more detail how I run my tests, because the whole picture can give you a better understanding as to why it fails with me: 1. As grub payload is used for coreboot, I first build coreboot for the system (default build, nothing special). 2. To build grub: git clone https://git.savannah.gnu.org/git/grub.git ./bootstrap ./autogen.sh ./configure --with-platform=coreboot --disable-werror make 3. Change modules in Makefile to match the ones I wrote earlier. 4. make default_payload.elf 5. Installation debian (expert install) 6. Encrypt partition cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda1 or LUKS1: cryptsetup luksFormat --cipher aes-xts-plain64 --hash=sha256 --key-size=512 --header /path/to/header --type luks1 /dev/sda1 7. Create necessary logical volumes and start installation debian 8. add crypttab, copy the header and keyfiles to target system. This exact same setup works fine with grub 2.04 and john lane's patches: https://grub.johnlane.ie/ (obviously only LUKS1 support). I will try to debug, not really experience with that, but will try to figure it out. Van: Glenn Washburn Aan: brutser@perso.be Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers Datum: 29/07/2022 21:27:48 Europe/Paris Cc: grub-devel@gnu.org;    dkiper@net-space.pl;    ps@pks.im On Fri, 29 Jul 2022 20:56:18 +0200 (CEST) brutser@perso.be wrote: > > testing detached header failed: > > > > 1. built grub payload with following modules: ahci usb_keyboard part_msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512 > > 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda1 > > (where --luks2-metadata-size=16k --luks2-keyslots-size=512k is optional, this is just to minimize header size, but I also tested without). > > 3. from the grub cmd, i try to decrypt this partition using: cryptomount -H /path/to/header (ahci0,msdos1) > > > > 4. I also tried luks1 encryption with detached header. > > > > whatever I try, I always get the same error: > > "no cryptodisk module can handle this device" > > > > Is this feature not 100% implemented yet, I saw people already verifying the patches and would expect this to be working, so if yes, this seems like a bug. This feature should be working in all cases, and if not there may be a bug. I responded to your off-list email before seeing this one. I'll repeat what I said there and let's continue this discussion on the list. I see nothing obviously wrong with what you're doing, given the information above. To further debug this, would you be able to send a log of the serial output when the GRUB envvar debug is set to "all" while running the cryptomount command? If so, please send compressed in a reply to this email on the list. If you can't because of hardware issues, would you be able to replicate this in QEMU and grab the serial output from there? If you can boot the system via other means, you should be able to use the raw disks (the one with the LUKS volume and the other with the filesystem containing the header file). Glenn _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel