Jinesh Choksi <jin...@onelittlehope.com> (2023-07-02):
> The issue is this block of code:
> https://salsa.debian.org/installer-team/partman-crypto/-/blob/master/check.d/crypto_check_mountpoints#L94-102
> This 17 year old "Check - Is there a /boot partition for encrypted
> root?" is no longer valid.

It is.

> Grub2 added support for accessing LUKS1 partitions in 2011 -
> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a251b71915e40194d12995dbac9efd787687f988

Sure, that's known, and there were two talks during Mini-DebConfs in
2019 about this and LUKS2 (Marseille, Hamburg).

> Grub2 support for LUK2 is also present but only for PBKDF2 keys -
> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

And since default LUKS2 settings are argon2id (argon2i previously), that
means that cannot work.

> For people who use LUKS1 to do full disk encryption, this "Check - Is
> there a /boot partition for encrypted root?" is a blocker in the
> Debian installer.

People finding their way to use LUKS1 instead of the default LUKS2 can
remove this check on their own.

> Dear maintainer(s), please review this bug report and remove this
> check.

Not until GRUB gets support for argon2i{d,}. And that's where my focus
is right now when it comes to d-i vs. LUKS.

PoC at https://salsa.debian.org/kibi/grub/-/commits/luks2-argon2-v0
but I have better plans to investigate.

Cyril Brulebois (k...@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply via email to