Ludovic Courtès <[email protected]> writes: >> I *think* just swapping order in mapped-devices.scm (to try keyfile >> first) should solve my problem. I will try whether that works and if it >> does, send a patch. > > Cool, thanks!
You can find the patch attached. I have tested it in a VM and it seems to work fine, I will carry it in my tree for now. I also took the liberty to CC Danny Milosavljevic, as original author of the rewrite to use /etc/luks_script. Tomas
>From 7db9d6e994584a07e04d46edc5ef2de0b4d92fa4 Mon Sep 17 00:00:00 2001 Message-ID: <7db9d6e994584a07e04d46edc5ef2de0b4d92fa4.1780771468.git.~@wolfsden.cz> From: Tomas Volf <[email protected]> Date: Sat, 6 Jun 2026 20:42:38 +0200 Subject: [PATCH] mapped-devices: Try unlock via keyfile first. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the original code, unlock via the /etc/luks_script was attempted first, even when unlocking after the root pivot. That lead to messages like the following being logged. [ 5.708467] shepherd[1]: luks-master-key: /etc/luks_script not found, skipping They are harmless, but mildly annoying—especially when printed once for every single device being unlocked—due to there being no action the user can take to address them. There is no way to get /etc/luks_script after the root pivot. We can get rid of the warning by trying the key file first, and only than falling back to the other methods. --- gnu/system/mapped-devices.scm | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 8c32c3d3d4d..5b03051b912 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2014-2022, 2024-2025 Ludovic Courtès <[email protected]> ;;; Copyright © 2016 Andreas Enge <[email protected]> ;;; Copyright © 2017, 2018 Mark H Weaver <[email protected]> -;;; Copyright © 2024 Tomas Volf <[email protected]> +;;; Copyright © 2024, 2026 Tomas Volf <[email protected]> ;;; ;;; This file is part of GNU Guix. ;;; @@ -346,23 +346,24 @@ (define* (open-luks-device source targets '()) '#$extra-options (list partition #$target))))) - ;; Try the GRUB-provided LUKS master key first (from - ;; /etc/luks_script, injected into the initrd via GRUB's - ;; newc: mechanism). This avoids prompting for the password - ;; a second time when GRUB already decrypted the same LUKS - ;; volume. Fall back to keyfile or interactive password on - ;; any failure. - (or (try-luks-script-master-key cryptsetup partition #$target + ;; Try keyfile first to respect user wishes. If that fails + ;; (or no keyfile was provided), try the GRUB-provided LUKS + ;; master key (from /etc/luks_script, injected into the + ;; initrd via GRUB's newc: mechanism). This avoids prompting + ;; for the password a second time when GRUB already decrypted + ;; the same LUKS volume. Fall back interactive password as + ;; last resort. + (or (and keyfile + (zero? (apply system*/tty cryptsetup + "--key-file" keyfile cryptsetup-flags))) + (try-luks-script-master-key cryptsetup partition #$target (append (if #$allow-discards? '("--allow-discards") '()) '#$extra-options)) - ;; We want to fallback to the password unlock if the - ;; keyfile fails. - (and keyfile - (zero? (apply system*/tty cryptsetup - "--key-file" keyfile cryptsetup-flags))) + ;; We want to fallback to the password unlock if other + ;; options fail. (zero? (apply system*/tty cryptsetup cryptsetup-flags))))))))))) -- 2.54.0
-- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
