Re: [PATCH v3 0/3] Cryptomount detached headers

[Glenn Washburn]

On Sat, 30 Jul 2022 11:54:32 +0200 (CEST)
brutser--- via Grub-devel <grub-devel@gnu.org> wrote:

> Glenn,
> 
> 
> 
> As I had no idea how to get the debug logs from qemu, I made screenshots, 
> find them attached. As this is probably something I am doing wrong, I hope it 
> shows from the logs.
> 
> https://imgur.com/a/rAlfZ77

Getting the output to go to serial depends on the target. For i386
using seabios, use "-fw_cfg name=etc/sercon-port,string=0 -serial
stdio".

Unfortunately, I'm now seeing that there are no debug log messages
in the luks2 module that would be shown in this case. How about putting
the line 'grub_dprintf("entering luks_scan");' at the start of the
function luks2_scan in grub-core/disk/luks2.c and then recompiling and
getting the output?

Glenn


> 
> Van: Glenn Washburn <development@efficientek.com>
> Aan: brutser@perso.be
> Onderwerp: Re: [PATCH v3 0/3] Cryptomount detached headers
> Datum: 29/07/2022 21:27:48 Europe/Paris
> Cc: grub-devel@gnu.org;
>    dkiper@net-space.pl;
>    ps@pks.im
> 
> On Fri, 29 Jul 2022 20:56:18 +0200 (CEST)
> brutser@perso.be wrote:
> 
> > 
> > testing detached header failed:
> > 
> > 
> > 
> > 1. built grub payload with following modules: ahci usb_keyboard part_msdos 
> > part_gpt at_keyboard cbfs cryptodisk luks2 lvm gcry_rijndael gcry_sha1 
> > gcry_sha256 gcry_sha512
> > 
> > 2. encrypt a partition: cryptsetup luksFormat --type luks2 -q -h sha512 -s 
> > 512 --pbkdf pbkdf2 --header /path/to/header --luks2-metadata-size=16k 
> > --luks2-keyslots-size=512k /dev/sda1
> > 
> > (where --luks2-metadata-size=16k --luks2-keyslots-size=512k is optional, 
> > this is just to minimize header size, but I also tested without).
> > 
> > 3. from the grub cmd, i try to decrypt this partition using: cryptomount -H 
> > /path/to/header (ahci0,msdos1)
> > 
> > 
> > 
> > 4. I also tried luks1 encryption with detached header.
> > 
> > 
> > 
> > whatever I try, I always get the same error:
> > 
> > "no cryptodisk module can handle this device"
> > 
> > 
> > 
> > Is this feature not 100% implemented yet, I saw people already verifying 
> > the patches and would expect this to be working, so if yes, this seems like 
> > a bug.
> 
> This feature should be working in all cases, and if not there may be a
> bug. I responded to your off-list email before seeing this one. I'll
> repeat what I said there and let's continue this discussion on the list.
> 
> I see nothing obviously wrong with what you're doing, given the
> information above. To further debug this, would you be able to send a
> log of the serial output when the GRUB envvar debug is set to "all"
> while running the cryptomount command? If so, please send compressed in
> a reply to this email on the list.
> 
> If you can't because of hardware issues, would you be able to replicate
> this in QEMU and grab the serial output from there? If you can boot the
> system via other means, you should be able to use the raw disks (the
> one with the LUKS volume and the other with the filesystem containing
> the header file).
> 
> Glenn
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>