From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1oIdmy-00027N-DB for mharc-grub-devel@gnu.org; Mon, 01 Aug 2022 18:21:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39902) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oIdmq-00025L-2P for grub-devel@gnu.org; Mon, 01 Aug 2022 18:21:20 -0400 Received: from msg-1.mailo.com ([213.182.54.11]:46472) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oIdmn-0001UX-85 for grub-devel@gnu.org; Mon, 01 Aug 2022 18:21:19 -0400 Received: by www.mailo.com with http webmail; Tue, 2 Aug 2022 00:21:09 +0200 (CEST) X-EA-Auth: BO9W2exzy6EQ1+gRYaXoxetGq6dyk1gaL0Zol7TTym6n+VwsIJLoJ7Qg8dXUdqQdoKn7oEoxVwRLWp+12qNsonebl8+OxPRW From: brutser@perso.be To: grub-devel@gnu.org Cc: dkiper@net-space.pl, ps@pks.im Date: Tue, 2 Aug 2022 00:21:09 +0200 (CEST) Subject: Re: [PATCH v3 0/3] Cryptomount detached headers X-Priority: 3 MIME-Version: 1.0 X-Mailer: COMS/EA22.05/r20220615 Message-ID: In-Reply-To: <20220801155027.7fc6ee9c@crass-HP-ZBook-15-G2> Content-Type: multipart/alternative; boundary="----=_NextPart_001_62e851d5_1e7d_29eb1f5f" Received-SPF: pass client-ip=213.182.54.11; envelope-from=brutser@perso.be; helo=msg-1.mailo.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2022 22:21:20 -0000 ------=_NextPart_001_62e851d5_1e7d_29eb1f5f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Glenn, Still resorted to screenshots for the debug (with the added dprintf): https://imgur.com/a/YkVMdBe Van: Glenn Washburn Aan: brutser--- via Grub-devel Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers Datum: 01/08/2022 22:50:27 Europe/Paris Cc: brutser@perso.be; =C2=A0=C2=A0=C2=A0dkiper@net-space.pl; =C2=A0=C2=A0=C2=A0ps@pks.im On Sat, 30 Jul 2022 11:54:32 +0200 (CEST) brutser--- via Grub-devel wrote: > Glenn, >=20 >=20 >=20 > As I had no idea how to get the debug logs from qemu, I made screenshots= , find them attached. As this is probably something I am doing wrong, I hop= e it shows from the logs. >=20 > https://imgur.com/a/rAlfZ77 Getting the output to go to serial depends on the target. For i386 using seabios, use "-fw_cfg name=3Detc/sercon-port,string=3D0 -serial stdio". Unfortunately, I'm now seeing that there are no debug log messages in the luks2 module that would be shown in this case. How about putting the line 'grub_dprintf("entering luks_scan");' at the start of the function luks2_scan in grub-core/disk/luks2.c and then recompiling and getting the output? Glenn >=20 > Van: Glenn Washburn > Aan: brutser@perso.be > Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers > Datum: 29/07/2022 21:27:48 Europe/Paris > Cc: grub-devel@gnu.org; > =C2=A0=C2=A0=C2=A0dkiper@net-space.pl; > =C2=A0=C2=A0=C2=A0ps@pks.im >=20 > On Fri, 29 Jul 2022 20:56:18 +0200 (CEST) > brutser@perso.be wrote: >=20 > >=20 > > testing detached header failed: > >=20 > >=20 > >=20 > > 1. built grub payload with following modules: ahci usb_keyboard part_m= sdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1= gcry_sha256 gcry_sha512 > >=20 > > 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha51= 2 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=3D16= k --luks2-keyslots-size=3D512k /dev/sda1 > >=20 > > (where --luks2-metadata-size=3D16k --luks2-keyslots-size=3D512k is opt= ional, this is just to minimize header size, but I also tested without). > >=20 > > 3. from the grub cmd, i try to decrypt this partition using: cryptomou= nt -H /path/to/header (ahci0,msdos1) > >=20 > >=20 > >=20 > > 4. I also tried luks1 encryption with detached header. > >=20 > >=20 > >=20 > > whatever I try, I always get the same error: > >=20 > > "no cryptodisk module can handle this device" > >=20 > >=20 > >=20 > > Is this feature not 100% implemented yet, I saw people already verifyi= ng the patches and would expect this to be working, so if yes, this seems l= ike a bug. >=20 > This feature should be working in all cases, and if not there may be a > bug. I responded to your off-list email before seeing this one. I'll > repeat what I said there and let's continue this discussion on the list. >=20 > I see nothing obviously wrong with what you're doing, given the > information above. To further debug this, would you be able to send a > log of the serial output when the GRUB envvar debug is set to "all" > while running the cryptomount command? If so, please send compressed in > a reply to this email on the list. >=20 > If you can't because of hardware issues, would you be able to replicate > this in QEMU and grab the serial output from there? If you can boot the > system via other means, you should be able to use the raw disks (the > one with the LUKS volume and the other with the filesystem containing > the header file). >=20 > Glenn >=20 >=20 > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >=20 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ------=_NextPart_001_62e851d5_1e7d_29eb1f5f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Glenn,

Still resorted to screenshots for the = debug (with the added dprintf):

https://imgur.com/= a/YkVMdBe


Van: Glenn Washburn <= ;development@efficientek.com>
Aan: brutser--- via Grub-devel <grub-devel@gnu.org>
Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
Datum: 01/08/2022 22:50:27 Europe/Paris
Cc: brutser@perso.be;
=C2=A0=C2=A0=C2=A0dkiper@net-space.pl;
=C2=A0=C2=A0=C2=A0ps@pks.im

On Sat, 30 Jul 2022 11:54:32 +0200 (CEST)
brutser--- via Grub-devel <grub-devel@gnu.org> wrote:

> Glenn,
>
>
>
> As I had no idea how to get the debug logs from qemu, I made screensh= ots, find them attached. As this is probably something I am doing wrong, I = hope it shows from the logs.
>
> h= ttps://imgur.com/a/rAlfZ77

Getting the output to go to serial depends on the target. For i386
using seabios, use "-fw_cfg name=3Detc/sercon-port,string=3D0 -serial=
stdio".

Unfortunately, I'm now seeing that there are no debug log messages
in the luks2 module that would be shown in this case. How about putting the line 'grub_dprintf("entering luks_scan");' at the start of t= he
function luks2_scan in grub-core/disk/luks2.c and then recompiling and
= getting the output?

Glenn


>
> Van: Glenn Washburn <development@efficientek.com>
> Aan: brutser@perso.be
> Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
> Datum: 29/07/2022 21:27:48 Europe/Paris
> Cc: grub-devel@gnu.org;
> =C2=A0=C2=A0=C2=A0dkiper@net-space.pl;
> =C2=A0=C2=A0=C2=A0ps@pks.im
>
> On Fri, 29 Jul 2022 20:56:18 +0200 (CEST)
> brutser@perso.be wrote:
>
> >
> > testing detached header failed:
> >
> >
> >
> > 1. built grub payload with following modules: ahci usb_keyboard = part_msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcr= y_sha1 gcry_sha256 gcry_sha512
> >
> > 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h= sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-siz= e=3D16k --luks2-keyslots-size=3D512k /dev/sda1
> >
> > (where --luks2-metadata-size=3D16k --luks2-keyslots-size=3D512k = is optional, this is just to minimize header size, but I also tested withou= t).
> >
> > 3. from the grub cmd, i try to decrypt this partition using: cry= ptomount -H /path/to/header (ahci0,msdos1)
> >
> >
> >
> > 4. I also tried luks1 encryption with detached header.
> >
> >
> >
> > whatever I try, I always get the same error:
> >
> > "no cryptodisk module can handle this device"
> >
> >
> >
> > Is this feature not 100% implemented yet, I saw people already v= erifying the patches and would expect this to be working, so if yes, this s= eems like a bug.
>
> This feature should be working in all cases, and if not there may be = a
> bug. I responded to your off-list email before seeing this one. I'll<= br> > repeat what I said there and let's continue this discussion on the li= st.
>
> I see nothing obviously wrong with what you're doing, given the
> information above. To further debug this, would you be able to send a=
> log of the serial output when the GRUB envvar debug is set to "a= ll"
> while running the cryptomount command? If so, please send compressed = in
> a reply to this email on the list.
>
> If you can't because of hardware issues, would you be able to replica= te
> this in QEMU and grab the serial output from there? If you can boot t= he
> system via other means, you should be able to use the raw disks (the<= br> > one with the LUKS volume and the other with the filesystem containing=
> the header file).
>
> Glenn
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel<= br> >

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
------=_NextPart_001_62e851d5_1e7d_29eb1f5f--