[PATCH 0/2] Add support for unlocking root device via a key file

  • Done
  • quality assurance status badge
Details
4 participants
  • Dominik Riva
  • Ludovic Courtès
  • Tomas Volf
  • Tomas Volf
Owner
unassigned
Submitted by
Tomas Volf
Severity
normal
T
T
Tomas Volf wrote on 1 Aug 2023 22:53
(address . guix-patches@gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
cover.1690922760.git.wolf@wolfsden.cz
When having an encrypted /boot, it is currently necessary to input a password
twice, once for the /boot (so that grub can find its configuration) and later
once more in order to actually unlock the / itself. It is not very user
friendly and gets annoying quickly in more exotic setups. For example with /
on RAID1 BTRFS, password needs to be entered 4 times. And even without that,
for large encrypted arrays, password needs to be entered once per drive.

The obvious solution to this is to just use --key-file option of the luksOpen
command, however support for that was not implemented. This series adds that
support.

Another problem is where to store the key file, since it needs to be both
present in the initrd, but it cannot be in the store (since that would make it
world-readable, and you do not want that for an encryption key). Luckily for
us, grub can load multiple initrds and merge them, so option to specify
additional initrd (not from the store) is added as well.

Since extlinux does not look like supporting encrypted /boot (and this new
option should not be used for anything else), it was added only into into
grub.

Tomas Volf (2):
mapped-devices: Allow unlocking by a key file
gnu: bootloader: grub: Add support for loading an additional initrd

doc/guix.texi | 32 +++++++++++++++++
gnu/bootloader.scm | 6 +++-
gnu/bootloader/grub.scm | 6 ++--
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
4 files changed, 83 insertions(+), 28 deletions(-)


base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
--
2.41.0
T
T
Tomas Volf wrote on 1 Aug 2023 23:09
[PATCH 1/2] mapped-devices: Allow unlocking by a key file
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
f868b4ab8b6ffdee7cfa0f2fc0c4ee3d7100f081.1690922760.git.wolf@wolfsden.cz
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
doc/guix.texi | 12 +++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 25 deletions(-)

Toggle diff (138 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. If it fails, password unlock is attempted as well. Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..79b776e81e 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
--
2.41.0
T
T
Tomas Volf wrote on 1 Aug 2023 23:09
[PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
01792b1d4bf827da9d10b4f06cfe9127b9cfbe45.1690922760.git.wolf@wolfsden.cz
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)

Toggle diff (85 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
T
T
Tomas Volf wrote on 2 Aug 2023 15:02
[PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
untabify
doc/guix.texi | 12 +++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 25 deletions(-)

Toggle diff (140 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. If it fails, password unlock is attempted as well. Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..0755036763 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
--
2.41.0
T
T
Tomas Volf wrote on 2 Aug 2023 15:02
[PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
c2160a7c687622ffb7404004e183905299e6a695.1690981365.git.wolf@wolfsden.cz
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)

Toggle diff (85 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
D
D
Dominik Riva wrote on 10 Aug 2023 02:22
[PATCH 0/2] Add support for unlocking root device via a key file
(name . 65002@debbugs.gnu.org)(address . 65002@debbugs.gnu.org)
lEqw2_aHah7ibE60mIRq6EKG9YmJkiXnFZO4W-QFkURIAXUkM-9bUIvjVs8KJU0R0df8c-TDu9a58MioukopI8DuheY7e1hdPVzVUwVOq-M=@protonmail.ch
Hi,

I can confirm, the patches work for me but as I'm still quite ignorant about Guile and Guix, examples would have helped a lot.


;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  ;; /root in /root/key-file.cpio refers to the

  ;; /dev/mapper/enc btrfs root subvolume and not the home of root.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader-luks2)
                (targets '("/boot/efi"))
                (keyboard-layout keyboard-layout)
                (extra-initrd "/root/key-file.cpio")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "e3746b32-8e74-43b0-a111-78c3ea4436cf"))
          (target "enc")
          (type (luks-device-mapping-with-options #:key-file "/key-file.bin")))))


The snipped from https://issues.guix.gnu.org/55723#0also needed a some changes.
I had to swap line 2 with 3, I switched ext2 with btrfs and the different format for the uuid ticked me as well.

But now I have a booting system and the passphrase only gets asked for once.


Thanks,
Dominik


Attachment: publickey - driva@protonmail.ch - 0x1019089F.asc
Attachment: signature.asc
T
T
Tomas Volf wrote on 9 Jan 17:57 +0100
control message for bug #65002
(address . control@debbugs.gnu.org)
900866bd2cdb4a0f7ca3897756f77da5@wolfsden.cz
submitter 65002 !
quit
L
L
Ludovic Courtès wrote on 10 Jan 00:21 +0100
Re: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
(name . Tomas Volf)(address . wolf@wolfsden.cz)(address . 65002@debbugs.gnu.org)
87il42w0sw.fsf@gnu.org
Hello!

I know, I know, it’s taken way too long… My apologies!

Tomas Volf <wolf@wolfsden.cz> skribis:

Toggle quote (4 lines)
> Requiring the user to input their password in order to unlock a device is not
> always reasonable, so having an option to unlock the device using a key file
> is a nice quality of life change.

Agreed; there’s interest for this feature, I’ve heard it quite a few
times.

Toggle quote (4 lines)
> * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> procedure

No need to repeat the file name here. Please also mention the
doc/guix.texi changes.

Toggle quote (11 lines)
> +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> +Return a @code{luks-device-mapping} object, which defines LUKS block
> +device encryption using the @command{cryptsetup} command from the
> +package with the same name. It relies on the @code{dm-crypt} Linux
> +kernel module.
> +
> +If @code{key-file} is provided, unlocking is first attempted using that
> +key file. If it fails, password unlock is attempted as well. Key file
> +is not stored in the store and needs to be available at the specified
> +path at the time of the unlock attempt.

s/specified path/given location/

Perhaps add a sentence or two saying that the advantage is that it
allows you to avoid typing the passphrase, for instance by passing the
key file on a USB key (would that work?), but that this may not be
suitable for all use cases.

I’d also add a short commented config example.

I wonder if we could have a system test; it doesn’t sound very easy so
maybe we’ll skip, but you can check that the “encrypted-root-os” test,
which exercises ‘luks-device-mapping’, still passes (it takes time and
disk space).

The rest LGTM!

Ludo’.
L
L
Ludovic Courtès wrote on 10 Jan 00:28 +0100
Re: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
(name . Tomas Volf)(address . wolf@wolfsden.cz)(address . 65002@debbugs.gnu.org)
87edeqw0h9.fsf@gnu.org
Tomas Volf <wolf@wolfsden.cz> skribis:

Toggle quote (6 lines)
> In order to be able to provide decryption keys for the LUKS device, they need
> to be available in the initial ram disk. However they cannot be stored inside
> the usual initrd, since it is stored in the store and being a
> world-readable (as files in the store are) is not a desired property for a
> initrd containing decryption keys.

This explanation should go in the manual IMO (it’s already partly there).

Toggle quote (12 lines)
> This commit adds an option to load additional initrd during the boot,
> one that is not stored inside the store and therefore can contain
> secrets.
>
> Since only grub supports encrypted /boot, only grub is modified to use the
> extra-initrd. There is no use case for the other bootloaders.
>
> * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> field.
> * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> * gnu/bootloader/grub.scm: Use the new extra-initrd field

It’d be great if you could specify the entities changes in each file
(which variable/procedure is changed, what is added/removed). A
committer can do it on your behalf later if you’re unsure.

Toggle quote (3 lines)
> +@item @code{extra-initrd} (default: @code{#f})
> +Path to an additional initrd to load. Should not point to a file in the

s/Path/File name/ (by convention)

Please make full sentences. “Should not” is probably too strong;
perhaps: “It may or may not point to a file in the store, but the main
use case is for out-of-store files containing secrets.”

Toggle quote (2 lines)
> +store. Typical use case is making keys to unlock LUKS device available

Add a line break after “store.” to distinguish the reference from the
discussion of one possible use case.

Toggle quote (17 lines)
> +during the boot process. For any use case not involving secrets, you
> +should use regular initrd (@pxref{operating-system Reference,
> +@code{initrd}}) instead.
> +
> +Suitable image can be created for example like this:
> +
> +@example
> +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> +chmod 0000 /key-file.cpio
> +@end example
> +
> +Be careful when using this option, since pointing to a file that is not
> +readable by the grub while booting will cause the boot to fail and
> +require a manual edit of the initrd line in the grub menu.
> +
> +Currently only supported by grub.

s/grub/GRUB/

Would be great if you could include also a short config example here, or
add a cross-reference to the example for
‘luks-device-mapping-with-options’ if that covers both.

Toggle quote (4 lines)
> + (extra-initrd bootloader-configuration-extra-initrd
> + (default #f)) ;string | #f
> + )

No lonely paren please. :-)

Otherwise LGTM.

Could you send updated patches with these minor changes?

Thanks!

Ludo’.
T
T
Tomas Volf wrote on 11 Jan 13:39 +0100
Re: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 65002@debbugs.gnu.org)
ZZ_hhwps_04Su6TY@ws
On 2024-01-10 00:21:19 +0100, Ludovic Courtès wrote:
Toggle quote (4 lines)
> Hello!
>
> I know, I know, it’s taken way too long… My apologies!

No worries, thank you for getting to it. :)
Toggle quote (8 lines)
>
> > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> > procedure
>
> No need to repeat the file name here. Please also mention the
> doc/guix.texi changes.

Adjusted. I also fixed the name of the first procedure (should have been
open-luks-device).

Toggle quote (19 lines)
>
> > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> > +Return a @code{luks-device-mapping} object, which defines LUKS block
> > +device encryption using the @command{cryptsetup} command from the
> > +package with the same name. It relies on the @code{dm-crypt} Linux
> > +kernel module.
> > +
> > +If @code{key-file} is provided, unlocking is first attempted using that
> > +key file. If it fails, password unlock is attempted as well. Key file
> > +is not stored in the store and needs to be available at the specified
> > +path at the time of the unlock attempt.
>
> s/specified path/given location/
>
> Perhaps add a sentence or two saying that the advantage is that it
> allows you to avoid typing the passphrase, for instance by passing the
> key file on a USB key (would that work?), but that this may not be
> suitable for all use cases.

Added a sentence. As for the USB key, that would not currently work. The file
needs to be accessible to the init script, so the USB would need to be mounted
first. I believe extending the code to support it would not be hard (adding
e.g. #:device to luks-device-mapping-with-options), but I have not use for it,
so I did not intend to do it in this series. Maybe later.

Toggle quote (3 lines)
>
> I’d also add a short commented config example.

Done.

Toggle quote (6 lines)
>
> I wonder if we could have a system test; it doesn’t sound very easy so
> maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> which exercises ‘luks-device-mapping’, still passes (it takes time and
> disk space).

It does not pass, but it fails even on master ¯\_ (?)_/¯:

guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt

It seems somewhat hard to do it based on encrypted-root-os, but should be much
easier basing it on encrypted-home-os. I might give it a try.

Toggle quote (5 lines)
>
> The rest LGTM!
>
> Ludo’.

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWf4YcACgkQL7/ufbZ/
wam8UA/8C51fp/Acc3esHi1UWRS6G8oLFdiRTWbiFYKYng3QgCzOeTuHXyuSOOE2
RDDL0NIdbgR/Y7T+O78BPucrW8+KfCIP0Wh8lBcnvT8FTSKgoAEw4teQhaz3GzBG
LvASrTrl2eo1demGkdTdepTOL3/1eqAfhRKfBWRvG0teAPc8tSXpWTaiMv8V0IOk
OuT7n1U7OWAFxkMy4/pAAwshws9FhTpfBXqyoNqJlVVJIPykAsN3sgtKLhSmB5l/
H13H03fubWoEWOJpwD4KJ4u88hYv1Ya/FYv1sDeD7SF0cfCjPTVHQo9FY37W5Jke
MffylYFMbVYLbD/7USApx9eAYVAKxWMXjMlPf2ITXaXgUjlYFxzXi1m5SVDG3495
rbkLyQIJYf8gj8ugnPIqilNSpD0r8+sca6WyqhDQTgALdf8i5uz92OE6I7SJVTWa
4x1w2nx0O+Zf1AVDoJvzNox7vRWvxzS7HOnfjF/JVP3LOMwKUvmF9SDwsqfFwIni
CWWXliJm6hFYICcLhmUZLcKh3hRfPZm//DIAAdCTpJZtk0FF47MFXAbRXJTL4Prd
s7Vlkc685XBmSx7x6zv6EtXXPfDZDpl3NwyhCQkFlBGDmuh30UHfgfED92qHzRf7
hSHextVHsg/Pf3+xjaO/cHXDePdA7z4Hn3Sv+13D9weoqs8/ylM=
=V8ID
-----END PGP SIGNATURE-----


T
T
Tomas Volf wrote on 11 Jan 14:32 +0100
Re: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 65002@debbugs.gnu.org)
ZZ_t6oGZnHG_y4ne@ws
On 2024-01-10 00:28:18 +0100, Ludovic Courtès wrote:
Toggle quote (10 lines)
> Tomas Volf <wolf@wolfsden.cz> skribis:
>
> > In order to be able to provide decryption keys for the LUKS device, they need
> > to be available in the initial ram disk. However they cannot be stored inside
> > the usual initrd, since it is stored in the store and being a
> > world-readable (as files in the store are) is not a desired property for a
> > initrd containing decryption keys.
>
> This explanation should go in the manual IMO (it’s already partly there).

Done.

Toggle quote (17 lines)
>
> > This commit adds an option to load additional initrd during the boot,
> > one that is not stored inside the store and therefore can contain
> > secrets.
> >
> > Since only grub supports encrypted /boot, only grub is modified to use the
> > extra-initrd. There is no use case for the other bootloaders.
> >
> > * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> > field.
> > * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> > * gnu/bootloader/grub.scm: Use the new extra-initrd field
>
> It’d be great if you could specify the entities changes in each file
> (which variable/procedure is changed, what is added/removed). A
> committer can do it on your behalf later if you’re unsure.

Done, this was one of my first patches and I was quite unsure about the commit
message format. These days I am still unsure, but a little less so. ^_^

Toggle quote (10 lines)
>
> > +@item @code{extra-initrd} (default: @code{#f})
> > +Path to an additional initrd to load. Should not point to a file in the
>
> s/Path/File name/ (by convention)
>
> Please make full sentences. “Should not” is probably too strong;
> perhaps: “It may or may not point to a file in the store, but the main
> use case is for out-of-store files containing secrets.”

For content that can be present in the store, the regular `initrd' should be
used instead I think. However I adjusted the wording.

Toggle quote (29 lines)
>
> > +store. Typical use case is making keys to unlock LUKS device available
>
> Add a line break after “store.” to distinguish the reference from the
> discussion of one possible use case.
>
> > +during the boot process. For any use case not involving secrets, you
> > +should use regular initrd (@pxref{operating-system Reference,
> > +@code{initrd}}) instead.
> > +
> > +Suitable image can be created for example like this:
> > +
> > +@example
> > +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> > +chmod 0000 /key-file.cpio
> > +@end example
> > +
> > +Be careful when using this option, since pointing to a file that is not
> > +readable by the grub while booting will cause the boot to fail and
> > +require a manual edit of the initrd line in the grub menu.
> > +
> > +Currently only supported by grub.
>
> s/grub/GRUB/
>
> Would be great if you could include also a short config example here, or
> add a cross-reference to the example for
> ‘luks-device-mapping-with-options’ if that covers both.

I added an example illustrating how these two work together.

Toggle quote (7 lines)
>
> > + (extra-initrd bootloader-configuration-extra-initrd
> > + (default #f)) ;string | #f
> > + )
>
> No lonely paren please. :-)

Well I moved the paren, but now the comment (string | #f) looks like it is for
the whole top-level sexp, not just for the extra-initrd field.

Toggle quote (5 lines)
>
> Otherwise LGTM.
>
> Could you send updated patches with these minor changes?

I will soon, just want spent a bit of time trying to make the system test for
this.

Toggle quote (3 lines)
>
> Thanks!

And thank you again for the review.

Tomas

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWf7eoACgkQL7/ufbZ/
wamGaw/8DLbzvyuojyQGST+WL1+EuQb4pmd0+gWOS/n+S6C0TDZzra6VRGvI6o+B
VrJb72ZRudt2/+kTJmIfA3Xso4FhfiUSeno4h8YttnIu4tEt+OO7kZ4pg1B78evg
CfTSi1BT1z2TTI2mhw7CcNEQ4m0RbDGRmaWnlHXPuJkX1ZJ5nukae5HZVQDL1GAY
BE1LvVSXmxY8uY9VXj1m01BpryqDM0muHNtp0uVghkQula6w4ryHrV+/wFtyA9gG
+xTg3qW7VavFO9BhGe2mpoMf/zcTU5BaTHytv7ie/sjxbsG/Xh/+JNDb1Io/gLP7
2guPt+kL8V5b+QHKV6oad7jddSuhZQpDR/KBvJ/HHKIYGPuOBzPSV98gqf0W13yn
zyz3bhBilQtejSyx49vxpODnmZIRQ5Xjc4ocjQ8Bo/KTBCFTDttHKwqZS0i+XOzn
pPxd/7cigEmSyd0sufU0aK4VrBiOPXJZnb/HtUeGkFILmRY1FzEFG94iqAk02ryd
1Ve9NY8qztE8KN9S6NgCINroPSr6tFybkuLxrUV8jS2dbbjKjtN0Q7YK5+pKUD1D
TXwgGGdbJWft6pih5F+tEkrMyEBr/ek1opsWKDxx8fMtRa543SmBUJ3uESzePlGu
zNI0Q3OcI4/eDQrKWXIGjERPh8zt32sVjN4A8lVPBibN3/l91m8=
=VCJY
-----END PGP SIGNATURE-----


T
T
Tomas Volf wrote on 11 Jan 18:32 +0100
[PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
1f9c251cf379b579a0e04f5698da0bfdd62f2b90.1704994323.git.~@wolfsden.cz
From: Tomas Volf <wolf@wolfsden.cz>

In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
---
doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++
gnu/bootloader.scm | 6 ++++-
gnu/bootloader/grub.scm | 7 ++++--
3 files changed, 59 insertions(+), 3 deletions(-)

Toggle diff (129 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1202f2182..87d41e0aae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot. It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk. However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys. You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+ ...
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ ;; Load the initrd with a key file
+ (extra-initrd "/key-file.cpio")))
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "my-root")
+ (type (luks-device-mapping-with-options
+ ;; And use it to unlock the root device
+ #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +281,9 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f))) ;string | #f
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:32 +0100
[PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
f8f72a3554346e6258d2027155af1b168ba998c6.1704994323.git.~@wolfsden.cz
Based on encrypted-home-os, this test verifies unlocking via a key file.

* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.

Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 73 insertions(+), 1 deletion(-)

Toggle diff (112 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
#:use-module (gnu packages admin)
#:use-module (gnu packages bootloaders)
#:use-module (gnu packages commencement) ;for 'guile-final'
+ #:use-module (gnu packages cpio)
#:use-module (gnu packages cryptsetup)
#:use-module (gnu packages disk)
#:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
%test-raid-root-os
%test-encrypted-root-os
%test-encrypted-home-os
+ %test-encrypted-home-os-key-file
%test-encrypted-root-not-boot-os
%test-btrfs-root-os
%test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
mkfs.ext4 -L root-fs /dev/vdb2
mkfs.ext4 -L home-fs /dev/mapper/the-home-device
mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests. So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+ echo /key-file.bin | cpio -oH newc > key-file.cpio
+ chmod 0000 key-file.cpio
+ mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+ cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
mkdir /mnt/home
mount /dev/mapper/the-home-device /mnt/home
df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
(mlet* %store-monad ((images (run-install %encrypted-home-os
%encrypted-home-os-source
#:script
- %encrypted-home-installation-script))
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
+
+;;;
+;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source)
+ (use-modules (gnu) (gnu tests))
+
+ (operating-system
+ (host-name "cipherhome")
+ (timezone "Europe/Prague")
+ (locale "en_US.utf8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets (list "/dev/vdb"))
+ (extra-initrd "/key-file.cpio")))
+ (kernel-arguments '("console=ttyS0"))
+
+ (mapped-devices (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "the-home-device")
+ (type (luks-device-mapping-with-options
+ #:key-file "/key-file.bin")))))
+ (file-systems (cons* (file-system
+ (device (file-system-label "root-fs"))
+ (mount-point "/")
+ (type "ext4"))
+ (file-system
+ (device (file-system-label "home-fs"))
+ (mount-point "/home")
+ (type "ext4")
+ (dependencies mapped-devices))
+ %base-file-systems))
+ (services (cons (service marionette-service-type
+ (marionette-configuration
+ (imported-modules '((gnu services herd)
+ (guix combinators)))))
+ %base-services))))
+
+(define %test-encrypted-home-os-key-file
+ (system-test
+ (name "encrypted-home-os-key-file")
+ (description
+ "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+ (value
+ (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source
+ #:script
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
+ (command (qemu-command* images)))
+ (run-basic-test %encrypted-home-os-key-file
+ command "encrypted-home-os-key-file")))))
+
;;;
;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:32 +0100
[PATCH 5/6] tests: install: Fix encrypted-root-os test.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
d996159c43a3f9a7988d8d643371ce16dc0c53e3.1704994323.git.~@wolfsden.cz
The installation no longer fits into the 1.6G, leading to a warning while
running the test:

guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.

Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843
---
gnu/tests/install.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index c5243f2ed9..f553eeaa3e 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -751,7 +751,7 @@ (define %encrypted-root-installation-script
ls -l /run/current-system/gc-roots
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
+ mkpart primary ext2 3M 2G \\
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:32 +0100
[PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
a2246b63802cba01ab0a416cee771ae0730e03d7.1704994323.git.~@wolfsden.cz
For testing that installation works, there is no need to spent 2000ms (the
default) iterating while generating the encryption key. This commit therefore
sets the iteration time to the lowest possible value, 1(ms).

* gnu/tests/install.scm (%encrypted-root-installation-script):
(%encrypted-home-installation-script):
(%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
invocation.

Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc
---
gnu/tests/install.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index 6794bca145..c5243f2ed9 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -755,7 +755,7 @@ (define %encrypted-root-installation-script
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device
mkfs.ext4 -L my-root /dev/mapper/the-root-device
@@ -970,7 +970,7 @@ (define %encrypted-home-installation-script
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device
@@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script
mkpart primary ext2 50M 1.6G \\
set 1 boot on \\
set 1 bios_grub on
-echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 -
+echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 -
echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root
mkfs.ext4 -L my-root /dev/mapper/root
mkfs.ext4 -L my-boot /dev/vdb2
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:32 +0100
[PATCH 1/6] mapped-devices: Allow unlocking by a key file.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
e1066830735b7180a3f23218c4623a63145796de.1704994323.git.~@wolfsden.cz
From: Tomas Volf <wolf@wolfsden.cz>

Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.

Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
---
doc/guix.texi | 25 +++++++++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 67 insertions(+), 25 deletions(-)

Toggle diff (160 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 395545bed7..b1202f2182 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -123,6 +123,7 @@
Copyright @copyright{} 2023 Thomas Ieong@*
Copyright @copyright{} 2023 Saku Laesvuori@*
Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -17992,6 +17993,30 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot. If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;; cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+ #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..c19a818453 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:32 +0100
[PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
cedd6182d7d4aa20a11d3115283adec33fad2583.1704994323.git.~@wolfsden.cz
The installation no longer fits into the 1.6G, leading to a warning while
running the test:

guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
(%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the
target size to 3G to accommodate for the larger root partition.

Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360
---
gnu/tests/install.scm | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

Toggle diff (39 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index f553eeaa3e..f9e766e532 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -964,8 +964,8 @@ (define %encrypted-home-installation-script
export GUIX_BUILD_OPTIONS=--no-grafts
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
- mkpart primary 1.6G 2.0G \\
+ mkpart primary ext2 3M 2G \\
+ mkpart primary 2G 2.4G \\
set 1 boot on \\
set 1 bios_grub on
@@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os
%encrypted-home-os-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
@@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file
%encrypted-home-os-key-file-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os-key-file
command "encrypted-home-os-key-file")))))
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:35 +0100
[PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
e1066830735b7180a3f23218c4623a63145796de.1704994535.git.~@wolfsden.cz
From: Tomas Volf <wolf@wolfsden.cz>

Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.

Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
---
doc/guix.texi | 25 +++++++++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 67 insertions(+), 25 deletions(-)

Toggle diff (160 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 395545bed7..b1202f2182 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -123,6 +123,7 @@
Copyright @copyright{} 2023 Thomas Ieong@*
Copyright @copyright{} 2023 Saku Laesvuori@*
Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -17992,6 +17993,30 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot. If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;; cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+ #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..c19a818453 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:35 +0100
[PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
1f9c251cf379b579a0e04f5698da0bfdd62f2b90.1704994535.git.~@wolfsden.cz
From: Tomas Volf <wolf@wolfsden.cz>

In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
---
doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++
gnu/bootloader.scm | 6 ++++-
gnu/bootloader/grub.scm | 7 ++++--
3 files changed, 59 insertions(+), 3 deletions(-)

Toggle diff (129 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1202f2182..87d41e0aae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot. It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk. However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys. You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+ ...
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ ;; Load the initrd with a key file
+ (extra-initrd "/key-file.cpio")))
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "my-root")
+ (type (luks-device-mapping-with-options
+ ;; And use it to unlock the root device
+ #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +281,9 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f))) ;string | #f
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:35 +0100
[PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
f8f72a3554346e6258d2027155af1b168ba998c6.1704994535.git.~@wolfsden.cz
Based on encrypted-home-os, this test verifies unlocking via a key file.

* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.

Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 73 insertions(+), 1 deletion(-)

Toggle diff (112 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
#:use-module (gnu packages admin)
#:use-module (gnu packages bootloaders)
#:use-module (gnu packages commencement) ;for 'guile-final'
+ #:use-module (gnu packages cpio)
#:use-module (gnu packages cryptsetup)
#:use-module (gnu packages disk)
#:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
%test-raid-root-os
%test-encrypted-root-os
%test-encrypted-home-os
+ %test-encrypted-home-os-key-file
%test-encrypted-root-not-boot-os
%test-btrfs-root-os
%test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
mkfs.ext4 -L root-fs /dev/vdb2
mkfs.ext4 -L home-fs /dev/mapper/the-home-device
mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests. So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+ echo /key-file.bin | cpio -oH newc > key-file.cpio
+ chmod 0000 key-file.cpio
+ mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+ cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
mkdir /mnt/home
mount /dev/mapper/the-home-device /mnt/home
df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
(mlet* %store-monad ((images (run-install %encrypted-home-os
%encrypted-home-os-source
#:script
- %encrypted-home-installation-script))
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
+
+;;;
+;;; LUKS-encrypted /home, unencrypted root. The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source)
+ (use-modules (gnu) (gnu tests))
+
+ (operating-system
+ (host-name "cipherhome")
+ (timezone "Europe/Prague")
+ (locale "en_US.utf8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets (list "/dev/vdb"))
+ (extra-initrd "/key-file.cpio")))
+ (kernel-arguments '("console=ttyS0"))
+
+ (mapped-devices (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "the-home-device")
+ (type (luks-device-mapping-with-options
+ #:key-file "/key-file.bin")))))
+ (file-systems (cons* (file-system
+ (device (file-system-label "root-fs"))
+ (mount-point "/")
+ (type "ext4"))
+ (file-system
+ (device (file-system-label "home-fs"))
+ (mount-point "/home")
+ (type "ext4")
+ (dependencies mapped-devices))
+ %base-file-systems))
+ (services (cons (service marionette-service-type
+ (marionette-configuration
+ (imported-modules '((gnu services herd)
+ (guix combinators)))))
+ %base-services))))
+
+(define %test-encrypted-home-os-key-file
+ (system-test
+ (name "encrypted-home-os-key-file")
+ (description
+ "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+ (value
+ (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+ %encrypted-home-os-key-file-source
+ #:script
+ %encrypted-home-installation-script
+ #:packages (list cpio)))
+ (command (qemu-command* images)))
+ (run-basic-test %encrypted-home-os-key-file
+ command "encrypted-home-os-key-file")))))
+
;;;
;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:35 +0100
[PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
a2246b63802cba01ab0a416cee771ae0730e03d7.1704994535.git.~@wolfsden.cz
For testing that installation works, there is no need to spent 2000ms (the
default) iterating while generating the encryption key. This commit therefore
sets the iteration time to the lowest possible value, 1(ms).

* gnu/tests/install.scm (%encrypted-root-installation-script):
(%encrypted-home-installation-script):
(%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
invocation.

Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc
---
gnu/tests/install.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index 6794bca145..c5243f2ed9 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -755,7 +755,7 @@ (define %encrypted-root-installation-script
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device
mkfs.ext4 -L my-root /dev/mapper/the-root-device
@@ -970,7 +970,7 @@ (define %encrypted-home-installation-script
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
- cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
+ cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
echo -n " %luks-passphrase " | \\
cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device
@@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script
mkpart primary ext2 50M 1.6G \\
set 1 boot on \\
set 1 bios_grub on
-echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 -
+echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 -
echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root
mkfs.ext4 -L my-root /dev/mapper/root
mkfs.ext4 -L my-boot /dev/vdb2
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:35 +0100
[PATCH v3 5/6] tests: install: Fix encrypted-root-os test.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
d996159c43a3f9a7988d8d643371ce16dc0c53e3.1704994535.git.~@wolfsden.cz
The installation no longer fits into the 1.6G, leading to a warning while
running the test:

guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.

Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843
---
gnu/tests/install.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index c5243f2ed9..f553eeaa3e 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -751,7 +751,7 @@ (define %encrypted-root-installation-script
ls -l /run/current-system/gc-roots
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
+ mkpart primary ext2 3M 2G \\
set 1 boot on \\
set 1 bios_grub on
echo -n " %luks-passphrase " | \\
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:35 +0100
[PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests.
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
cedd6182d7d4aa20a11d3115283adec33fad2583.1704994535.git.~@wolfsden.cz
The installation no longer fits into the 1.6G, leading to a warning while
running the test:

guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

93% [#################################################################### ]note: build failure may have been caused by lack of free disk space
builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
(%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the
target size to 3G to accommodate for the larger root partition.

Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360
---
gnu/tests/install.scm | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

Toggle diff (39 lines)
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index f553eeaa3e..f9e766e532 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -964,8 +964,8 @@ (define %encrypted-home-installation-script
export GUIX_BUILD_OPTIONS=--no-grafts
parted --script /dev/vdb mklabel gpt \\
mkpart primary ext2 1M 3M \\
- mkpart primary ext2 3M 1.6G \\
- mkpart primary 1.6G 2.0G \\
+ mkpart primary ext2 3M 2G \\
+ mkpart primary 2G 2.4G \\
set 1 boot on \\
set 1 bios_grub on
@@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os
%encrypted-home-os-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os command "encrypted-home-os"
#:initialization enter-luks-passphrase-for-home)))))
@@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file
%encrypted-home-os-key-file-source
#:script
%encrypted-home-installation-script
- #:packages (list cpio)))
+ #:packages (list cpio)
+ #:target-size
+ (* 3000 MiB)))
(command (qemu-command* images)))
(run-basic-test %encrypted-home-os-key-file
command "encrypted-home-os-key-file")))))
--
2.41.0
T
T
Tomas Volf wrote on 11 Jan 18:39 +0100
Re: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 65002@debbugs.gnu.org)
ZaAnz7xdkuproEOJ@ws
On 2024-01-11 13:39:36 +0100, Tomas Volf wrote:

Toggle quote (14 lines)
>
> >
> > I wonder if we could have a system test; it doesn’t sound very easy so
> > maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> > which exercises ‘luks-device-mapping’, still passes (it takes time and
> > disk space).
>
> It does not pass, but it fails even on master ¯\_ (?)_/¯:
>
> guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt
>
> It seems somewhat hard to do it based on encrypted-root-os, but should be much
> easier basing it on encrypted-home-os. I might give it a try.

I managed to figure out the system test for this, however it required unrelated
changes, since encrypted-root-os and encrypted-home-os were broken even on
master. I included my new test (together with the fixes) in v3.

Also, I messed up, and sent this *without* the v3 by accident. When I realized,
I sent it once more, this time properly as v3. Sorry for the noise.

Tomas

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmWgJ88ACgkQL7/ufbZ/
wamArQ/+KCvEkm9QzHh9l6OkY8tmofk6wqAbylLNf15xsEDtWwdM19TVT8juGpZ3
9+cMkdS1n86Ta5geCpy0X5M10W1GZwKLOnqz10IoGCojhs1SbncvWQktaiaTS0yo
+QW1RKan9cMAm6hAsjnUcJ1lbHXJHihakdd4mBjD6X2B0MJO1O9rZz/dzBNs66XH
Smtv359bpMaXvC4+mwd72reyJuhxUAU/zSpEqnprhiwS4L8X/6C/sTtooeVaoQ7l
Y5inkmeWrfF+t1yZ8JqFEUAUciV6dLBwggBK8dnx017CBJl386tt3zLNHVkfnGKo
FJaHtW6LrW4aWTIvK7jc3PxxpVSc4MeVazxRVyxW7ZLkY4j89jI9Ci4C+nfu/IQJ
cySfY2AoDrihd0gmT0SKHZkwA/Ja/fNUxGh5TFMD/60Je1vCoB9wkZ2j/iebCeuL
d11EpxRb7jz76e4zSZqWMwnpA26v5wFKS4wiL985GEn5oJc6OK+sfIP6gPrWgTZB
BxorSaGb7RsrTaYcEK7ViMIgS8Zj/A/VF59t/pbbF7VGTpVyMycIPvGMiIyfh8Hh
GpEK9GEBf7xWKfLQyUgVr+Gbu7Oag2NaWMbKkNVxLCIFlY68bWlGyCy+5vw6p0i4
RR89ca3UmoPfWhU99RUj7yYGUwvF8AzjvF+ufTdqqjyrwn/kHMc=
=Ibtu
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 14 Jan 21:53 +0100
Re: [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.
(name . Tomas Volf)(address . ~@wolfsden.cz)
874jffhc1h.fsf@gnu.org
Hi Tomas,

I finally applied v3 of this patch series, it looks great to me.

Thank you, and again apologies for the long delay!

Ludo’.
Closed
L
L
Ludovic Courtès wrote on 14 Jan 21:54 +0100
Re: [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS.
(name . Tomas Volf)(address . ~@wolfsden.cz)(address . 65002@debbugs.gnu.org)
87zfx7fxfx.fsf@gnu.org
Tomas Volf <~@wolfsden.cz> skribis:

Toggle quote (9 lines)
> For testing that installation works, there is no need to spent 2000ms (the
> default) iterating while generating the encryption key. This commit therefore
> sets the iteration time to the lowest possible value, 1(ms).
>
> * gnu/tests/install.scm (%encrypted-root-installation-script):
> (%encrypted-home-installation-script):
> (%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
> invocation.

This and the fixes that follow are much welcome, thanks a lot!
?