Control: tag -1 upstream fixed-upstream patch On Mon, 09 Jan 2023 12:12:19 +0100 Laurent Bigonville <bi...@debian.org> wrote: > Package: grub-common > Version: 2.06-7 > Severity: serious > File: /usr/sbin/grub-probe > > Hello, > > On a newly installed laptop, it seems that grub-probe is not able to > detect that files are on an encrypted FS. > > New laptop: > > $ sudo grub-probe -t abstraction > /usr/share/images/desktop-base/desktop-grub.png > lvm > > $ sudo lsblk > NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS > nvme0n1 259:0 0 476,9G 0 disk > ├─nvme0n1p1 259:1 0 512M 0 part /boot/efi > ├─nvme0n1p2 259:2 0 488M 0 part /boot > └─nvme0n1p3 259:3 0 476G 0 part > └─nvme0n1p3_crypt 254:0 0 475,9G 0 crypt > ├─new_laptop--vg-root 254:1 0 27,9G 0 lvm / > ├─new_laptop--vg-swap_1 254:2 0 976M 0 lvm [SWAP] > ├─new_laptop--vg-home 254:3 0 40G 0 lvm /home > └─new_laptop--vg-libvirt 254:4 0 60G 0 lvm /var/lib/libvirt [...]
I can reproduce this. What changed is that we now use LUKS2 instead of LUKS1. Although GRUB has some LUKS2 support, it doesn't probe LUKS2 volumes automatically. I found the 3 upstream commits that are enough to make the "grub-probe ..." line work and am attaching a debdiff with those. I don't know whether this is enough to completely fix the problem. Ben. -- Ben Hutchings Never put off till tomorrow what you can avoid all together.
diff -Nru grub2-2.06/debian/changelog grub2-2.06/debian/changelog --- grub2-2.06/debian/changelog 2023-02-25 21:16:55.000000000 +0100 +++ grub2-2.06/debian/changelog 2023-03-03 19:21:28.000000000 +0100 @@ -1,3 +1,15 @@ +grub2 (2.06-8.2) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix probing of LUKS2 devices (Closes: #1028301): + - disk/cryptodisk: When cheatmounting, use the sector info of the cheat + device + - osdep/devmapper/getroot: Have devmapper recognize LUKS2 + - osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM + parameters + + -- Ben Hutchings <b...@debian.org> Fri, 03 Mar 2023 19:21:28 +0100 + grub2 (2.06-8.1) experimental; urgency=medium * Non-maintainer upload. diff -Nru grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch --- grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch 1970-01-01 01:00:00.000000000 +0100 +++ grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch 2023-03-03 19:21:28.000000000 +0100 @@ -0,0 +1,72 @@ +From: Fabian Vogt <fv...@suse.de> +Date: Thu, 12 Jan 2023 17:05:07 -0600 +Subject: disk/cryptodisk: When cheatmounting, use the sector info of the cheat + device +Origin: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=efc9c363b2aab222586b420508eb46fc13242739 +Bug-Debian: https://bugs.debian.org/1028301 + +When using grub-probe with cryptodisk, the mapped block device from the host +is used directly instead of decrypting the source device in GRUB code. +In that case, the sector size and count of the host device needs to be used. +This is especially important when using LUKS2, which does not assign +total_sectors and log_sector_size when scanning, but only later when the +segments in the JSON area are evaluated. With an unset log_sector_size, +grub_device_open() complains. + +This fixes grub-probe failing with +"error: sector sizes of 1 bytes aren't supported yet.". + +Signed-off-by: Fabian Vogt <fv...@suse.de> +Reviewed-by: Patrick Steinhardt <p...@pks.im> +Tested-by: Glenn Washburn <developm...@efficientek.com> +Reviewed-by: Glenn Washburn <developm...@efficientek.com> +Reviewed-by: Patrick Steinhardt <p...@pks.im> +Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> +--- + grub-core/disk/cryptodisk.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -694,16 +694,31 @@ grub_cryptodisk_open (const char *name, + if (!dev) + return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "No such device"); + +- disk->log_sector_size = dev->log_sector_size; +- + #ifdef GRUB_UTIL + if (dev->cheat) + { ++ grub_uint64_t cheat_dev_size; ++ unsigned int cheat_log_sector_size; ++ + if (!GRUB_UTIL_FD_IS_VALID (dev->cheat_fd)) + dev->cheat_fd = grub_util_fd_open (dev->cheat, GRUB_UTIL_FD_O_RDONLY); + if (!GRUB_UTIL_FD_IS_VALID (dev->cheat_fd)) + return grub_error (GRUB_ERR_IO, N_("cannot open `%s': %s"), + dev->cheat, grub_util_fd_strerror ()); ++ ++ /* Use the sector size and count of the cheat device. */ ++ cheat_dev_size = grub_util_get_fd_size (dev->cheat_fd, dev->cheat, &cheat_log_sector_size); ++ if (cheat_dev_size == -1) ++ { ++ const char *errmsg = grub_util_fd_strerror (); ++ grub_util_fd_close (dev->cheat_fd); ++ dev->cheat_fd = GRUB_UTIL_FD_INVALID; ++ return grub_error (GRUB_ERR_IO, N_("failed to query size of device `%s': %s"), ++ dev->cheat, errmsg); ++ } ++ ++ dev->log_sector_size = cheat_log_sector_size; ++ dev->total_sectors = cheat_dev_size >> cheat_log_sector_size; + } + #endif + +@@ -717,6 +732,7 @@ grub_cryptodisk_open (const char *name, + } + + disk->data = dev; ++ disk->log_sector_size = dev->log_sector_size; + disk->total_sectors = dev->total_sectors; + disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE; + disk->id = dev->id; diff -Nru grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch --- grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch 1970-01-01 01:00:00.000000000 +0100 +++ grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch 2023-03-03 19:20:49.000000000 +0100 @@ -0,0 +1,54 @@ +From: Josselin Poiret <d...@jpoiret.xyz> +Date: Thu, 12 Jan 2023 17:05:08 -0600 +Subject: osdep/devmapper/getroot: Have devmapper recognize LUKS2 +Origin: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9022a48dd9984fc3e90a5b42c3b5483d6061ccfb +Bug-Debian: https://bugs.debian.org/1028301 + +Changes UUID comparisons so that LUKS1 and LUKS2 are both recognized +as being LUKS cryptodisks. + +Signed-off-by: Josselin Poiret <d...@jpoiret.xyz> +Tested-by: Glenn Washburn <developm...@efficientek.com> +Reviewed-by: Patrick Steinhardt <p...@pks.im> +Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> +--- + grub-core/osdep/devmapper/getroot.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/grub-core/osdep/devmapper/getroot.c ++++ b/grub-core/osdep/devmapper/getroot.c +@@ -143,7 +143,8 @@ grub_util_get_dm_abstraction (const char + grub_free (uuid); + return GRUB_DEV_ABSTRACTION_LVM; + } +- if (strncmp (uuid, "CRYPT-LUKS1-", 12) == 0) ++ if (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0 ++ || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0) + { + grub_free (uuid); + return GRUB_DEV_ABSTRACTION_LUKS; +@@ -184,7 +185,9 @@ grub_util_pull_devmapper (const char *os + grub_util_pull_device (subdev); + } + } +- if (uuid && strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0 ++ if (uuid ++ && (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0 ++ || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0) + && lastsubdev) + { + char *grdev = grub_util_get_grub_dev (lastsubdev); +@@ -258,11 +261,11 @@ grub_util_get_devmapper_grub_dev (const + { + char *dash; + +- dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS1-") - 1, '-'); ++ dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS*-") - 1, '-'); + if (dash) + *dash = 0; + grub_dev = grub_xasprintf ("cryptouuid/%s", +- uuid + sizeof ("CRYPT-LUKS1-") - 1); ++ uuid + sizeof ("CRYPT-LUKS*-") - 1); + grub_free (uuid); + return grub_dev; + } diff -Nru grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch --- grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch 1970-01-01 01:00:00.000000000 +0100 +++ grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch 2023-03-03 19:21:28.000000000 +0100 @@ -0,0 +1,154 @@ +From: Josselin Poiret <d...@jpoiret.xyz> +Date: Thu, 12 Jan 2023 17:05:09 -0600 +Subject: osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from + DM parameters +Origin: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=aa5172a55cfabdd0bed3161ad44fc228b9d019f7 +Bug-Debian: https://bugs.debian.org/1028301 + +This lets a LUKS2 cryptodisk have its cipher and hash filled out, +otherwise they wouldn't be initialized if cheat mounted. + +Signed-off-by: Josselin Poiret <d...@jpoiret.xyz> +Tested-by: Glenn Washburn <developm...@efficientek.com> +Reviewed-by: Patrick Steinhardt <p...@pks.im> +Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> +--- + grub-core/osdep/devmapper/getroot.c | 107 +++++++++++++++++++++++++++++++++++- + 1 file changed, 106 insertions(+), 1 deletion(-) + +diff --git a/grub-core/osdep/devmapper/getroot.c b/grub-core/osdep/devmapper/getroot.c +index 2bf4264..cc3f7da 100644 +--- a/grub-core/osdep/devmapper/getroot.c ++++ b/grub-core/osdep/devmapper/getroot.c +@@ -51,6 +51,8 @@ + #include <grub/emu/misc.h> + #include <grub/emu/hostdisk.h> + ++#include <grub/cryptodisk.h> ++ + static int + grub_util_open_dm (const char *os_dev, struct dm_tree **tree, + struct dm_tree_node **node) +@@ -186,7 +188,6 @@ grub_util_pull_devmapper (const char *os_dev) + && lastsubdev) + { + char *grdev = grub_util_get_grub_dev (lastsubdev); +- dm_tree_free (tree); + if (grdev) + { + grub_err_t err; +@@ -194,7 +195,111 @@ grub_util_pull_devmapper (const char *os_dev) + if (err) + grub_util_error (_("can't mount encrypted volume `%s': %s"), + lastsubdev, grub_errmsg); ++ if (strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0) ++ { ++ /* ++ * Set LUKS2 cipher from dm parameters, since it is not ++ * possible to determine the correct one without ++ * unlocking, as there might be multiple segments. ++ */ ++ grub_disk_t source; ++ grub_cryptodisk_t cryptodisk; ++ grub_uint64_t start, length; ++ char *target_type; ++ char *params; ++ const char *name; ++ char *cipher, *cipher_mode; ++ struct dm_task *dmt; ++ char *seek_head, *c; ++ unsigned int remaining; ++ ++ source = grub_disk_open (grdev); ++ if (! source) ++ grub_util_error (_("cannot open grub disk `%s'"), grdev); ++ cryptodisk = grub_cryptodisk_get_by_source_disk (source); ++ if (! cryptodisk) ++ grub_util_error (_("cannot get cryptodisk from source disk `%s'"), grdev); ++ grub_disk_close (source); ++ ++ /* ++ * The following function always returns a non-NULL pointer, ++ * but the string may be empty if the relevant info is not present. ++ */ ++ name = dm_tree_node_get_name (node); ++ if (*name == '\0') ++ grub_util_error (_("cannot get dm node name for grub dev `%s'"), grdev); ++ ++ grub_util_info ("populating parameters of cryptomount `%s' from DM device `%s'", ++ uuid, name); ++ ++ dmt = dm_task_create (DM_DEVICE_TABLE); ++ if (dmt == NULL) ++ grub_util_error (_("can't create dm task DM_DEVICE_TABLE")); ++ if (dm_task_set_name (dmt, name) == 0) ++ grub_util_error (_("can't set dm task name to `%s'"), name); ++ if (dm_task_run (dmt) == 0) ++ grub_util_error (_("can't run dm task for `%s'"), name); ++ /* ++ * dm_get_next_target() doesn't have any error modes, everything has ++ * been handled by dm_task_run(). ++ */ ++ dm_get_next_target (dmt, NULL, &start, &length, ++ &target_type, ¶ms); ++ if (strncmp (target_type, "crypt", sizeof ("crypt")) != 0) ++ grub_util_error (_("dm target of type `%s' is not `crypt'"), target_type); ++ ++ /* ++ * The dm target parameters for dm-crypt are ++ * <cipher> <key> <iv_offset> <device path> <offset> [<#opt_params> <opt_param1> ...] ++ */ ++ c = params; ++ remaining = grub_strlen (c); ++ ++ /* First, get the cipher name from the cipher. */ ++ seek_head = grub_memchr (c, '-', remaining); ++ if (seek_head == NULL) ++ grub_util_error (_("can't get cipher from dm-crypt parameters `%s'"), ++ params); ++ cipher = grub_strndup (c, seek_head - c); ++ if (cipher == NULL) ++ grub_util_error (_("could not strndup cipher of length `%lu'"), seek_head - c); ++ remaining -= seek_head - c + 1; ++ c = seek_head + 1; ++ ++ /* Now, the cipher mode. */ ++ seek_head = grub_memchr (c, ' ', remaining); ++ if (seek_head == NULL) ++ grub_util_error (_("can't get cipher mode from dm-crypt parameters `%s'"), ++ params); ++ cipher_mode = grub_strndup (c, seek_head - c); ++ if (cipher_mode == NULL) ++ grub_util_error (_("could not strndup cipher_mode of length `%lu'"), seek_head - c); ++ ++ remaining -= seek_head - c + 1; ++ c = seek_head + 1; ++ ++ err = grub_cryptodisk_setcipher (cryptodisk, cipher, cipher_mode); ++ if (err) ++ grub_util_error (_("can't set cipher of cryptodisk `%s' to `%s' with mode `%s'"), ++ uuid, cipher, cipher_mode); ++ ++ grub_free (cipher); ++ grub_free (cipher_mode); ++ ++ /* ++ * This is the only hash usable by PBKDF2, and we don't ++ * have Argon2 support yet, so set it by default, ++ * otherwise grub-probe would miss the required ++ * abstraction. ++ */ ++ cryptodisk->hash = grub_crypto_lookup_md_by_name ("sha256"); ++ if (cryptodisk->hash == NULL) ++ grub_util_error (_("can't lookup hash sha256 by name")); ++ ++ dm_task_destroy (dmt); ++ } + } ++ dm_tree_free (tree); + grub_free (grdev); + } + else +-- +cgit v1.1 + diff -Nru grub2-2.06/debian/patches/series grub2-2.06/debian/patches/series --- grub2-2.06/debian/patches/series 2023-02-25 21:09:36.000000000 +0100 +++ grub2-2.06/debian/patches/series 2023-03-03 19:21:28.000000000 +0100 @@ -115,3 +115,6 @@ ignore_checksum_seed_incompat_feature.patch ignore_the_large_dir_incompat_feature.patch 987008-lvrename-boot-fail.patch +disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch +osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch +osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch
signature.asc
Description: This is a digitally signed message part