From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1oIf8u-0005Vq-MB for mharc-grub-devel@gnu.org; Mon, 01 Aug 2022 19:48:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53112) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oIf8o-0005Vg-MR for grub-devel@gnu.org; Mon, 01 Aug 2022 19:48:06 -0400 Received: from msg-1.mailo.com ([213.182.54.11]:47724) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oIf8k-0004ee-Qs for grub-devel@gnu.org; Mon, 01 Aug 2022 19:48:06 -0400 Received: by www.mailo.com with http webmail; Tue, 2 Aug 2022 01:47:57 +0200 (CEST) X-EA-Auth: h+Fjs1vTu9dJyfO32qO+3nOEaRd7QCwjJJZHR8vPtw/HFl6qK8mWxEY2AlsB7gzXzJkflK800tab6hpqfbKT9341kWDUZKLc From: brutser@perso.be To: grub-devel@gnu.org Cc: dkiper@net-space.pl, ps@pks.im Date: Tue, 2 Aug 2022 01:47:57 +0200 (CEST) Subject: Re: [PATCH v3 0/3] Cryptomount detached headers X-Priority: 3 MIME-Version: 1.0 X-Mailer: COMS/EA22.05/r20220615 Message-ID: Content-Type: multipart/alternative; boundary="----=_NextPart_001_62e8662d_2739_49f69f5" Received-SPF: pass client-ip=213.182.54.11; envelope-from=brutser@perso.be; helo=msg-1.mailo.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2022 23:48:06 -0000 ------=_NextPart_001_62e8662d_2739_49f69f5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Debian 11.4 for all the testing. as i said, i execute shell during installation, then simply enter the comm= ands I wrote earlier: cryptsetup luksFormat --type luks2 -q -h sha512 -s 512 --pbkdf pbkdf2 --he= ader /root/header.bin --luks2-metadata-size=3D16k --luks2-keyslots-size=3D5= 12k /dev/sda2 cryptsetup luksOpen --header /root/header.bin /dev/sda2 sda2crypt pvcreate /dev/mapper/sda2crypt vgcreate testvg /dev/mapper/sda2crypt lvcreate -L 2G -n root testvg - continue install debian 11.4 - chroot into system - copy header - populate crypttab etc. this whole process works 100% fine with grub 2.04 and luks1 as i said befo= re... Van: Glenn Washburn Aan: brutser--- via Grub-devel Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers Datum: 02/08/2022 01:24:47 Europe/Paris Cc: brutser@perso.be; =C2=A0=C2=A0=C2=A0dkiper@net-space.pl; =C2=A0=C2=A0=C2=A0ps@pks.im On Tue, 2 Aug 2022 00:21:09 +0200 (CEST) brutser--- via Grub-devel wrote: > Glenn, >=20 >=20 >=20 > Still resorted to screenshots for the debug (with the added dprintf): >=20 >=20 >=20 > https://imgur.com/a/YkVMdBe Ok, that confirms that the luks2 module is loaded and that the scan is happening. Based on the output I think luks2_read_header must be failing. That means that either disk reads are failing, which doesn't seem like the case, the disk read hook is failing or the LUKS2 magic bytes are not what they should be. Have you verified that after creating the volume and header file that cryptsetup/dm can open the volume successfully? What architecture and endianness is the machine you're running cryptsetup on and what is it for the one GRUB is running on? To test the read hook, add 'grub_dprintf("luks2", "read hook successed");' just before the last return statement in the function cryptodisk_read_hook in grub-core/disk/cryptodisk.c. Glenn >=20 >=20 >=20 > Van: Glenn Washburn > Aan: brutser--- via Grub-devel > Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers > Datum: 01/08/2022 22:50:27 Europe/Paris > Cc: brutser@perso.be; > =C2=A0=C2=A0=C2=A0dkiper@net-space.pl; > =C2=A0=C2=A0=C2=A0ps@pks.im >=20 > On Sat, 30 Jul 2022 11:54:32 +0200 (CEST) > brutser--- via Grub-devel wrote: >=20 > > Glenn, > >=20 > >=20 > >=20 > > As I had no idea how to get the debug logs from qemu, I made screensho= ts, find them attached. As this is probably something I am doing wrong, I h= ope it shows from the logs. > >=20 > > https://imgur.com/a/rAlfZ77 >=20 > Getting the output to go to serial depends on the target. For i386 > using seabios, use "-fw_cfg name=3Detc/sercon-port,string=3D0 -serial > stdio". >=20 > Unfortunately, I'm now seeing that there are no debug log messages > in the luks2 module that would be shown in this case. How about putting > the line 'grub_dprintf("entering luks_scan");' at the start of the > function luks2_scan in grub-core/disk/luks2.c and then recompiling and > getting the output? >=20 > Glenn >=20 >=20 > >=20 > > Van: Glenn Washburn > > Aan: brutser@perso.be > > Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers > > Datum: 29/07/2022 21:27:48 Europe/Paris > > Cc: grub-devel@gnu.org; > > =C2=A0=C2=A0=C2=A0dkiper@net-space.pl; > > =C2=A0=C2=A0=C2=A0ps@pks.im > >=20 > > On Fri, 29 Jul 2022 20:56:18 +0200 (CEST) > > brutser@perso.be wrote: > >=20 > > >=20 > > > testing detached header failed: > > >=20 > > >=20 > > >=20 > > > 1. built grub payload with following modules: ahci usb_keyboard part= _msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sh= a1 gcry_sha256 gcry_sha512 > > >=20 > > > 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha= 512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=3D= 16k --luks2-keyslots-size=3D512k /dev/sda1 > > >=20 > > > (where --luks2-metadata-size=3D16k --luks2-keyslots-size=3D512k is o= ptional, this is just to minimize header size, but I also tested without). > > >=20 > > > 3. from the grub cmd, i try to decrypt this partition using: cryptom= ount -H /path/to/header (ahci0,msdos1) > > >=20 > > >=20 > > >=20 > > > 4. I also tried luks1 encryption with detached header. > > >=20 > > >=20 > > >=20 > > > whatever I try, I always get the same error: > > >=20 > > > "no cryptodisk module can handle this device" > > >=20 > > >=20 > > >=20 > > > Is this feature not 100% implemented yet, I saw people already verif= ying the patches and would expect this to be working, so if yes, this seems= like a bug. > >=20 > > This feature should be working in all cases, and if not there may be a > > bug. I responded to your off-list email before seeing this one. I'll > > repeat what I said there and let's continue this discussion on the lis= t. > >=20 > > I see nothing obviously wrong with what you're doing, given the > > information above. To further debug this, would you be able to send a > > log of the serial output when the GRUB envvar debug is set to "all" > > while running the cryptomount command? If so, please send compressed i= n > > a reply to this email on the list. > >=20 > > If you can't because of hardware issues, would you be able to replicat= e > > this in QEMU and grab the serial output from there? If you can boot th= e > > system via other means, you should be able to use the raw disks (the > > one with the LUKS volume and the other with the filesystem containing > > the header file). > >=20 > > Glenn > >=20 > >=20 > > _______________________________________________ > > Grub-devel mailing list > > Grub-devel@gnu.org > > https://lists.gnu.org/mailman/listinfo/grub-devel > >=20 >=20 > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >=20 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel ------=_NextPart_001_62e8662d_2739_49f69f5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Debian 11.4 for all the testing.
as i said, i= execute shell during installation, then simply enter the commands I wrote = earlier:

cryptsetup luksFormat --type luks2 -q -h = sha512 -s 512 --pbkdf pbkdf2 --header /root/header.bin --luks2-metadata-siz= e=3D16k --luks2-keyslots-size=3D512k /dev/sda2
cryptsetup luksOpe= n --header /root/header.bin /dev/sda2 sda2crypt
pvcreate /dev/map= per/sda2crypt
vgcreate testvg /dev/mapper/sda2crypt
lvc= reate -L 2G -n root testvg

- continue install debi= an 11.4
- chroot into system
- copy header
- = populate crypttab etc.

this whole process works 10= 0% fine with grub 2.04 and luks1 as i said before...


Van: Glenn Washburn <development@efficien= tek.com>
Aan: brutser--- via Grub-devel <grub-devel@gnu.org>
Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
Datum: 02/08/2022 01:24:47 Europe/Paris
Cc: brutser@perso.be;
=C2=A0=C2=A0=C2=A0dkiper@net-space.pl;
=C2=A0=C2=A0=C2=A0ps@pks.im

On Tue, 2 Aug 2022 00:21:09 +0200 (CEST)
brutser--- via Grub-devel <grub-devel@gnu.org> wrote:

> Glenn,
>
>
>
> Still resorted to screenshots for the debug (with the added dprintf):=
>
>
>
> h= ttps://imgur.com/a/YkVMdBe

Ok, that confirms that the luks2 module is loaded and that the scan is
= happening. Based on the output I think luks2_read_header must be
failing. That means that either disk reads are failing, which doesn't
seem like the case, the disk read hook is failing or the LUKS2 magic
bytes are not what they should be.

Have you verified that after creating the volume and header file that
cryptsetup/dm can open the volume successfully?

What architecture and endianness is the machine you're running
cryptsetup on and what is it for the one GRUB is running on?

To test the read hook, add 'grub_dprintf("luks2", "read hoo= k
successed");' just before the last return statement in the function cryptodisk_read_hook in grub-core/disk/cryptodisk.c.

Glenn

>
>
>
> Van: Glenn Washburn <development@efficientek.com>
> Aan: brutser--- via Grub-devel <grub-devel@gnu.org>
> Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
> Datum: 01/08/2022 22:50:27 Europe/Paris
> Cc: brutser@perso.be;
> =C2=A0=C2=A0=C2=A0dkiper@net-space.pl;
> =C2=A0=C2=A0=C2=A0ps@pks.im
>
> On Sat, 30 Jul 2022 11:54:32 +0200 (CEST)
> brutser--- via Grub-devel <grub-devel@gnu.org> wrote:
>
> > Glenn,
> >
> >
> >
> > As I had no idea how to get the debug logs from qemu, I made scr= eenshots, find them attached. As this is probably something I am doing wron= g, I hope it shows from the logs.
> >
> > https://imgur.com/a/rAlfZ77
>
> Getting the output to go to serial depends on the target. For i386 > using seabios, use "-fw_cfg name=3Detc/sercon-port,string=3D0 -s= erial
> stdio".
>
> Unfortunately, I'm now seeing that there are no debug log messages > in the luks2 module that would be shown in this case. How about putti= ng
> the line 'grub_dprintf("entering luks_scan");' at the start= of the
> function luks2_scan in grub-core/disk/luks2.c and then recompiling an= d
> getting the output?
>
> Glenn
>
>
> >
> > Van: Glenn Washburn <development@efficientek.com>
> > Aan: brutser@perso.be
> > Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
> > Datum: 29/07/2022 21:27:48 Europe/Paris
> > Cc: grub-devel@gnu.org;
> > =C2=A0=C2=A0=C2=A0dkiper@net-space.pl;
> > =C2=A0=C2=A0=C2=A0ps@pks.im
> >
> > On Fri, 29 Jul 2022 20:56:18 +0200 (CEST)
> > brutser@perso.be wrote:
> >
> > >
> > > testing detached header failed:
> > >
> > >
> > >
> > > 1. built grub payload with following modules: ahci usb_keyb= oard part_msdos part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndae= l gcry_sha1 gcry_sha256 gcry_sha512
> > >
> > > 2. encrypt a partition: cryptsetup luksFormat --type luks2 = -q -h sha512 -s 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadat= a-size=3D16k --luks2-keyslots-size=3D512k /dev/sda1
> > >
> > > (where --luks2-metadata-size=3D16k --luks2-keyslots-size=3D= 512k is optional, this is just to minimize header size, but I also tested w= ithout).
> > >
> > > 3. from the grub cmd, i try to decrypt this partition using= : cryptomount -H /path/to/header (ahci0,msdos1)
> > >
> > >
> > >
> > > 4. I also tried luks1 encryption with detached header.
> > >
> > >
> > >
> > > whatever I try, I always get the same error:
> > >
> > > "no cryptodisk module can handle this device"
= > > >
> > >
> > >
> > > Is this feature not 100% implemented yet, I saw people alre= ady verifying the patches and would expect this to be working, so if yes, t= his seems like a bug.
> >
> > This feature should be working in all cases, and if not there ma= y be a
> > bug. I responded to your off-list email before seeing this one. = I'll
> > repeat what I said there and let's continue this discussion on t= he list.
> >
> > I see nothing obviously wrong with what you're doing, given the<= br> > > information above. To further debug this, would you be able to s= end a
> > log of the serial output when the GRUB envvar debug is set to &q= uot;all"
> > while running the cryptomount command? If so, please send compre= ssed in
> > a reply to this email on the list.
> >
> > If you can't because of hardware issues, would you be able to re= plicate
> > this in QEMU and grab the serial output from there? If you can b= oot the
> > system via other means, you should be able to use the raw disks = (the
> > one with the LUKS volume and the other with the filesystem conta= ining
> > the header file).
> >
> > Glenn
> >
> >
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel=
> >
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel<= br> >

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
------=_NextPart_001_62e8662d_2739_49f69f5--