Re: Uniquely Identifying USB filesystem possible?

[Andrei Borzenkov]

On 16.01.2024 19:39, Harry Hirte wrote:
> On Tuesday, January 16, 2024 at 03:28:43 PM GMT+1, Andrei Borzenkov 
> <arvidjaar@gmail.com> wrote:
>
>
> > You specify it as (hd0) *where*?
>
> instead of the ($keyfile)0+ I use (hd0) - then it does work
>
>
> > > cryptomount -k ($keyfile)0+ -O xxx -S yyy -u $crypto_uuid
>
> > Do you really have the file with the name "0+" on this filesystem?
> > What type does this filesystem have?
>
> I took that straight out of the grub manual:
>
> "Devices are not allowed to be given as key files nor as detached header files. 
> However, this limitation can be worked around by using blocklist syntax. So for instance, 
> (hd1,gpt2) can not be used, but (hd1,gpt2)0+ will achieve the desired result."

You are right, it is just rather unusual syntax (and undocumented by the 
way), more common is (hd)+1. But yes, it is valid and refers to the full 
device. You could have spared 0 as well, just (hd0)+ should be enough.

> In my case the $keyfile would point to (hd0), so I tried the above.
>
> > > set root=lvm/vg0-root
> > > set prefix=(lvm/vg0-boot)/grub
> > > insmod normal
> > > normal
>
>
> > And what happens when these commands are run?
>
> since it is unable to open the $keyfile, decryption fails - subsequently the 
> lvm on the crypt volume cannot be opened
>
> > the USB-stick is configured as luks-device with the UUID 24cc...
>
> > it is absolutely unclear what it means. If it is a LUKS device, you
> > need to open it first. If it is not a LUKS device, where exactly this
> > UUID is defined?
>
> Ok. I took an old 4GB usb stick, put a GPT on it with fdisk. Then I used
>
> cryptsetup luksFormat /dev/sdx (x=whatever the entire usb stick is, as seen 
> with lsblk)
> I enter the encryption key twice and then cryptsetup tells me the uuid, which I 
> can also see in /dev/disk/by-uuid:
> lrwxrwxrwx 1 root root   9 Jan 16 14:42 24cc...  -> ../../sda
>
> # fdisk -l /dev/sda
> Disk /dev/sda: 3.8 GiB, 4083351552 bytes, 7975296 sectors
> Disk model: USB Flash Drive
> Units: sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> # cryptsetup luksOpen /dev/sda cryptstick
> Enter passphrase for /dev/sda:
>
> afterwards:
>
> # dmsetup ls
> cryptstick    (254:4)
>
> I would say this qualifies as a luksvolume:
>
> # cryptsetup luksDump /dev/sda
> LUKS header information for /dev/sda
>
>
> Version:           1

This is LUKS1

> ...
> UUID:              24cc...
>
>
> Key Slot 0: ENABLED
>
> ...
>
> I also tried partitioning another usb-stick with partition1 as efi and 
> partition2 encrypted like shown above:
>
> ...
> sdf                           8:80   1   7.4G  0 disk
> ├─sdf1                        8:81   1   100M  0 part  <== efi partition
> └─sdf2                        8:82   1   100M  0 part  <== sdf2 is encrypted 
> with luksFormat  just like above
>
> ...
>
> Same result.  If I try to access the encrypted partition sdf2 grub returns "unknown 
> filesystem"
> (Note: Of course I have used dd to extract some random data-string inside the 
> respective USB luks-partition and used it as key for the disk encryption,
> as the successful attempt using (hd0) shows).

And that information was missing.

> The structure is exactly as on the M.2 disk that I want to automatically 
> decrypt.
> cryptomount -a only offers the M.2 and the SATA-disk that I have currently 
> installed. None of the USB devices show up.

Those bits of information you provided in your previous mail only 
mention luks2 module and your device is LUKS1, so it is expected that it 
will not be detected.

But that does not matter, because if you use part of the physical device 
as the key, then cryptomount'ing it will not help you to get this key.

> > > As mentioned, this does not work - even using cryptomount with this UUID fails.
>
> > So it is probably *not* a LUKS device.

It is not LUKS*2* device.

> not for grub apparently - it (or the BIOS?) seems to handle disks connected via 
> M.2 slot or SATA differently from USB.
>
>
> > You can start with describing the content of this USB stick. So far it
> > is rather hard to understand what you use. Showing the commands that
> > *do* work may be of some help. Showing the commands you use to create
> > this USB stick would help further.
>
> I hope what I wrote clears this up.
> My main objective is to use unique device descriptors (hd0) will probably move 
> to (hd1) if I have another stick in the wrong USB port
> I had hoped using luks would make the UUIDs detectable for grub , but I guess 
> that's not the case for USB.

GRUB UUID search is implemented for filesystems only. So I do not 
understand why you are trying to jump through the hoops. Just create 
normal filesystem (that can be detected using search.fs_uuid) and place 
your keyfile there.