Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600992 - sys-kernel/genkernel-next-64: allow use of key for crypto root partition directly from root_key option
Summary: sys-kernel/genkernel-next-64: allow use of key for crypto root partition dire...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Hosted Projects
Classification: Unclassified
Component: genkernel-next (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Ettore Di Giacinto (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-27 13:44 UTC by Morton Pellung
Modified: 2020-08-20 12:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
patches 00-crypt.sh (00-crypt.sh,12.61 KB, application/x-shellscript)
2016-11-27 13:44 UTC, Morton Pellung 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Morton Pellung 2016-11-27 13:44:06 UTC 
Created attachment 454520 [details]
patches 00-crypt.sh

genkernel-next supports a LUKS encrypted root partition, the proper key must be passed via root_keydev+root_key parameters from GRUB2. Unfortunately genkernel-next does not check whether the file pointed to by root_key already exists, but instead always wants to mount a device root_keydev first and only then looks for file root_key.

I hacked a workaround for this into 00-crypth.sh, at about line 135:

if [ -n "${luks_key}" ]; then
    if [ -s "${luks_key}" ]; then
        echo "*** keyfile already found!"
        cryptsetup_opts="${cryptsetup_opts} --key-file ${luks_key}"
    else
      echo "*** cannot access supplied keyfile, trying original way..."

So first I check if luks_key is already there and if yes just ignore the following ~80 lines of script.
If I properly pass a keyfile that's already in initramfs -> all is ok and root automatically mounted.
If I made a typo in filename of key -> I am asked to enter password manually.
If I fail to pass root_keydev+root_key -> I am asked to enter password manually.

I attach my patched 00-crypt.sh to this bug.
TODO: currently my patched version still requires root_keydev=/, however this is just extra noise in the GRUB2 options.


"But what's the point?" you ask, having the keyfile accessible in the initramfs is stupid/unsafe ?
It is needed in case of full-disk encryption: meaning the whole disk is one large encrypted partition (e.g. /dev/sda1) and within this partition you use LVM logical volumes for root, swap etc. Upon boot GRUB2 asks for the password of the encrypted partition and only after success decrypts+boots further to the GRUB2 menu. In order to boot Linux one would then have to enter the same password a second time for the initramfs root mounting - or you can put the key into the initramfs image and pass it via root_keydev+root_key. So this saves the user a second question for the identical password and note that he would not come so far if he doesn't know it on the first question for decryption by GRUB2 already.


Please improve my ugly hack and consider this feature for upstream so one can have comfortable full-disk encryption.
Comment 1 Morton Pellung 2017-07-11 16:32:04 UTC 
For reference, someone has the same need, developed a patch and offers it to upstream:
https://github.com/Sabayon/genkernel-next/pull/50
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 12:51:01 UTC 
Package removed.