Re: [PATCH v3 0/3] Cryptomount detached headers

From: brutser@perso.be
To: grub-devel@gnu.org
Cc: dkiper@net-space.pl, ps@pks.im
Subject: Re: [PATCH v3 0/3] Cryptomount detached headers
Date: Sat, 30 Jul 2022 20:48:54 +0200 (CEST)	[thread overview]
Message-ID: <ea-mime-62e57d16-1ffc-60743024@www.mailo.com> (raw)
In-Reply-To: <ea-mime-62e4ffd8-36bf-56c3b46c@www.mailo.com>

[-- Attachment #1: Type: text/plain, Size: 3112 bytes --]

Glenn,

The most obvious error that jumps out: 

Read out of range: sector 0x32000 (attempt to read or write outside partition)

Van: brutser--- via Grub-devel <grub-devel@gnu.org>
Aan: grub-devel@gnu.org
Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
Datum: 30/07/2022 11:54:32 Europe/Paris
Cc: brutser@perso.be;
   dkiper@net-space.pl;
   ps@pks.im

Glenn,

As I had no idea how to get the debug logs from qemu, I made screenshots, find them attached. As this is probably something I am doing wrong, I hope it shows from the logs.

https://imgur.com/a/rAlfZ77

Van: Glenn Washburn <development@efficientek.com>
Aan: brutser@perso.be
Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
Datum: 29/07/2022 21:27:48 Europe/Paris
Cc: grub-devel@gnu.org;
   dkiper@net-space.pl;
   ps@pks.im

On Fri, 29 Jul 2022 20:56:18 +0200 (CEST)
brutser@perso.be wrote:

> 
> testing detached header failed:
> 
> 
> 
> 1. built grub payload with following modules: ahci usb_keyboard part_msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512
> 
> 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k --luks2-keyslots-size=512k /dev/sda1
> 
> (where --luks2-metadata-size=16k --luks2-keyslots-size=512k is optional, this is just to minimize header size, but I also tested without).
> 
> 3. from the grub cmd, i try to decrypt this partition using: cryptomount -H /path/to/header (ahci0,msdos1)
> 
> 
> 
> 4. I also tried luks1 encryption with detached header.
> 
> 
> 
> whatever I try, I always get the same error:
> 
> "no cryptodisk module can handle this device"
> 
> 
> 
> Is this feature not 100% implemented yet, I saw people already verifying the patches and would expect this to be working, so if yes, this seems like a bug.

This feature should be working in all cases, and if not there may be a
bug. I responded to your off-list email before seeing this one. I'll
repeat what I said there and let's continue this discussion on the list.

I see nothing obviously wrong with what you're doing, given the
information above. To further debug this, would you be able to send a
log of the serial output when the GRUB envvar debug is set to "all"
while running the cryptomount command? If so, please send compressed in
a reply to this email on the list.

If you can't because of hardware issues, would you be able to replicate
this in QEMU and grab the serial output from there? If you can boot the
system via other means, you should be able to use the raw disks (the
one with the LUKS volume and the other with the filesystem containing
the header file).

Glenn

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[-- Attachment #2: Type: text/html, Size: 4078 bytes --]