[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support for plain dm-crypt and detached LUKS header

From: Mat628
Subject: Re: Support for plain dm-crypt and detached LUKS header
Date: Sat, 08 Apr 2017 12:16:09 -0400

Hi, I'd like to first say thanks to the additions you made to cryptomount. I 
came across your patches 2-3 months ago when I was looking to do FDE including 
/boot for LVM on LUKS. I created a few patches outlined with their features 
below. I would have messaged sooner but I didn't know about these posts on 
grub-help until after finding the link from your github. After also coming 
across the problem of having no way to reliably predict what a device 
(hd0,msdos1) will map to, I ended up creating an add-on command, that uses the 
partition UUID/GUID, to search (--pt-uuid) and an accompanying module 
search.pt_uuid. These two commands mirror the search --fs-uuid and 
search.fs_uuid where given a uuid it will return the device. When given a 
disk/partition UUID/GUID that corresponds to a disk that is either a biosdisk 
or efidisk, or a partition with a partmap name of either "msdos" or "gpt" on 
one of the previous disks it will return that device.

Patch 1 stops search from printing same device twice if called multiple times.

Patch 2 allows this--->Added module search_pt_uuid. When given a disk/part 
UUID/GUID it will return the associated device.
On a biosdisk/mbr it will return the same value for the device 
(hd0)/(hd0,msdos1) as lsblk -o PARTUUID returns. This should be the same as the 
NT disk signature located at mbr.code[440] for 4 bytes in little endian format 
plus the partition number appended if applicable xxxxxxxx-yy. On an efidisk/gpt 
it will return the same value for the device (hd0)/(hd0,gpt1) as lsblk -o 
PARTUUID returns. This will be the disk/partition UUID/GUID.

An example of using this command inside load.cfg or directly on the grub 
command line. This example is for a detached header LUKS volume on (hdX,msdosY) 
which corresponds to a partuuid of 12345678-01 with the header file stored on a 
plain text partition either on the same device or a different one with a 

From your site this would look like

cryptomount -H (hd0,1)/header hd1,1

But with my patch it would be.

search.fs_uuid 5432-7654 header_file_device ----Line for setting (hd0,1)
search.pt_uuid 12345678-01 cryptodevice ----Line for setting (hd1,1)
cryptomount ($cryptodevice) --header=($header_file_device)/header.bin

Or if the header file is in a separate encrypted LUKS volume. LUKS volume UUID 
is 12345678-1234-1234-1234-1234567890ab. When the LUKS volume is open the 
mounted fs_uuid is 11112222-3333-4444-5555-123456654321 for a ext4 partition.

cryptomount -u 12345678-1234-1234-1234-1234567890ab ----Line for opening the 
LUKS volume with the header file in it.
search.fs_uuid 11112222-3333-4444-5555-123456654321 header_file_device ----Line 
for setting (hd0,1)
search.pt_uuid 12345678-01 cryptodevice ----Line for setting (hd1,1)
cryptomount ($cryptodevice) --header=($header_file_device)/header.bin ----Line 
for opening LUKS volume with /boot

Patch 3 allows this---->Inclusion of altered "load.cfg" to 
mattle_opts (More Advanced Than Traditional LUKS Encryption Options). Added 
mattle_opts.cfg file which allows the user to customize load.cfg to allow for 
extra options for cryptomount. mattle_opts.cfg is located in user-defined/etc/ 
folder. Same folder as crypttab and fstab. Only affects cryptomount options in 
load.cfg and only if GRUB_ENABLE_CRYPTODISK_MATTLE_OPTS=y is set in grub.cfg. 
If not set then normal 'cryptomount -u $uuid' is printed to load.cfg. I altered 
grub-install and grub-mkconfig to allow it to have essentially an alternate 
load.cfg (mattle_opts.cfg) to be easily editted by the user prior to running 
grub-install to allow grub-install to then read from this file and then fprint 
this alternate files contents into load.cfg to allow your alternate cryptomount 
commands to be run during boot up. This does not interfere with any of 
grub-install's other actions with load.cfg it merely replaces the normal 
'cryptomount -u $uuid' that is printed from grub-install into load.cfg. This 
makes it so you don't have to do grub-mkimage and the associated commands. Also 
added command line options for grub-install/mkconfig to allow an alternate 
mattle_opts.cfg to allow the user to quickly install grub to another device 
without having to modify the default mattle_opts.cfg.

Patch 4 allows this----> grub-install and grub-mkconfig magic for /boot on a 
detached header LUKS volume
Added grub-install magic for a crypto-device that is on a disk with either an 
msdos or gpt partition table and either on a biosdisk or efidisk. Grub-install 
magic works with grub-mkconfig for booting a detached header LUKS volume when 
used with --crypto-device and --crypto-header. By reading the actual header 
file that corresponds to that partitcular LUKS volume this allows 
grub-install/mkconfig to have the proper modules loaded by grub. The 
grub-install command for /boot located on /dev/sda1 where /dev/sda1 is a 
detached header LUKS volume and the header is located on the root / directory 
and we are installing to /dev/sda.

grub-install --boot-directory=/boot --crypto-device=/dev/sda1 
--crypto-header=/header.bin /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

For above patch 4 grub-install needs to be run prior to grub-mkconfig so the 
proper *.cfg files are created and configured to allow cryptodisk.c and luk.c 
to create a cryptodisk based off the stated crypto-device.

A few notes: mattle_opts.cfg is read only by grub-install/mkconfig and must be 
edited outside of grub using nano/text editor.
The command line options for grub-install do not alter mattle_opts.cfg so if 
installing to two different devices i.e a usb stick and a hard drive, 
mattle_opts.cfg may need to be edited. i.e. depending on where header/key files 
are stored.
The easiest setup seems to be /boot/grub on the rootfs and only have the 
applicable header/key files on the usb either in plain text or in an encrypted 
partition, and have the boot.img and core.img installed to the usb as well.
The changes to luks.c should only be in effect for grub utils and not in effect 
during booting.

I've also included your first 3 LUKS patches as they would apply after my 
patches. These patches are based off of grub-2.02-rc2. I tested these to work 
on x64 version of Ubuntu 16.04 LTS running bios. For the efi with gpt it was 
tested on a virtual machine x64 Ubuntu 16.04 LTS.

Best regards,

Attachment: 0004-Added-grub-install-mkconfig-magic-for-detached-heade.patch
Description: Text Data

Attachment: 0007-Added-LUKS-patch-3.patch
Description: Text Data

Attachment: 0005-Added-LUKS-patch-1.patch
Description: Text Data

Attachment: 0006-Added-LUKS-patch-2.patch
Description: Text Data

Attachment: 0003-Added-mattle_opts.cfg.patch
Description: Text Data

Attachment: 0002-Added-search_pt_uuid-module.patch
Description: Text Data

Attachment: 0001-Search-bug-fix-stop-duplicate-printing-of-cache-devi.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]