Thanks Ben! Looking at these now...
On Fri, Mar 03, 2023 at 09:28:26PM +0100, Ben Hutchings wrote: >Control: tag -1 upstream fixed-upstream patch > >On Mon, 09 Jan 2023 12:12:19 +0100 Laurent Bigonville ><bi...@debian.org> wrote: >> Package: grub-common >> Version: 2.06-7 >> Severity: serious >> File: /usr/sbin/grub-probe >> >> Hello, >> >> On a newly installed laptop, it seems that grub-probe is not able to >> detect that files are on an encrypted FS. >> >> New laptop: >> >> $ sudo grub-probe -t abstraction >> /usr/share/images/desktop-base/desktop-grub.png >> lvm >> >> $ sudo lsblk >> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS >> nvme0n1 259:0 0 476,9G 0 disk >> ├─nvme0n1p1 259:1 0 512M 0 part /boot/efi >> ├─nvme0n1p2 259:2 0 488M 0 part /boot >> └─nvme0n1p3 259:3 0 476G 0 part >> └─nvme0n1p3_crypt 254:0 0 475,9G 0 crypt >> ├─new_laptop--vg-root 254:1 0 27,9G 0 lvm / >> ├─new_laptop--vg-swap_1 254:2 0 976M 0 lvm [SWAP] >> ├─new_laptop--vg-home 254:3 0 40G 0 lvm /home >> └─new_laptop--vg-libvirt 254:4 0 60G 0 lvm /var/lib/libvirt >[...] > >I can reproduce this. What changed is that we now use LUKS2 instead of >LUKS1. Although GRUB has some LUKS2 support, it doesn't probe LUKS2 >volumes automatically. > >I found the 3 upstream commits that are enough to make the "grub-probe >..." line work and am attaching a debdiff with those. I don't know >whether this is enough to completely fix the problem. > >Ben. > >-- >Ben Hutchings >Never put off till tomorrow what you can avoid all together. > >diff -Nru grub2-2.06/debian/changelog grub2-2.06/debian/changelog >--- grub2-2.06/debian/changelog 2023-02-25 21:16:55.000000000 +0100 >+++ grub2-2.06/debian/changelog 2023-03-03 19:21:28.000000000 +0100 >@@ -1,3 +1,15 @@ >+grub2 (2.06-8.2) UNRELEASED; urgency=medium >+ >+ * Non-maintainer upload. >+ * Fix probing of LUKS2 devices (Closes: #1028301): >+ - disk/cryptodisk: When cheatmounting, use the sector info of the cheat >+ device >+ - osdep/devmapper/getroot: Have devmapper recognize LUKS2 >+ - osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM >+ parameters >+ >+ -- Ben Hutchings <b...@debian.org> Fri, 03 Mar 2023 19:21:28 +0100 >+ > grub2 (2.06-8.1) experimental; urgency=medium > > * Non-maintainer upload. >diff -Nru >grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch > >grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch >--- >grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch > 1970-01-01 01:00:00.000000000 +0100 >+++ >grub2-2.06/debian/patches/disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch > 2023-03-03 19:21:28.000000000 +0100 >@@ -0,0 +1,72 @@ >+From: Fabian Vogt <fv...@suse.de> >+Date: Thu, 12 Jan 2023 17:05:07 -0600 >+Subject: disk/cryptodisk: When cheatmounting, use the sector info of the cheat >+ device >+Origin: >https://git.savannah.gnu.org/cgit/grub.git/commit/?id=efc9c363b2aab222586b420508eb46fc13242739 >+Bug-Debian: https://bugs.debian.org/1028301 >+ >+When using grub-probe with cryptodisk, the mapped block device from the host >+is used directly instead of decrypting the source device in GRUB code. >+In that case, the sector size and count of the host device needs to be used. >+This is especially important when using LUKS2, which does not assign >+total_sectors and log_sector_size when scanning, but only later when the >+segments in the JSON area are evaluated. With an unset log_sector_size, >+grub_device_open() complains. >+ >+This fixes grub-probe failing with >+"error: sector sizes of 1 bytes aren't supported yet.". >+ >+Signed-off-by: Fabian Vogt <fv...@suse.de> >+Reviewed-by: Patrick Steinhardt <p...@pks.im> >+Tested-by: Glenn Washburn <developm...@efficientek.com> >+Reviewed-by: Glenn Washburn <developm...@efficientek.com> >+Reviewed-by: Patrick Steinhardt <p...@pks.im> >+Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> >+--- >+ grub-core/disk/cryptodisk.c | 20 ++++++++++++++++++-- >+ 1 file changed, 18 insertions(+), 2 deletions(-) >+ >+--- a/grub-core/disk/cryptodisk.c >++++ b/grub-core/disk/cryptodisk.c >+@@ -694,16 +694,31 @@ grub_cryptodisk_open (const char *name, >+ if (!dev) >+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "No such device"); >+ >+- disk->log_sector_size = dev->log_sector_size; >+- >+ #ifdef GRUB_UTIL >+ if (dev->cheat) >+ { >++ grub_uint64_t cheat_dev_size; >++ unsigned int cheat_log_sector_size; >++ >+ if (!GRUB_UTIL_FD_IS_VALID (dev->cheat_fd)) >+ dev->cheat_fd = grub_util_fd_open (dev->cheat, GRUB_UTIL_FD_O_RDONLY); >+ if (!GRUB_UTIL_FD_IS_VALID (dev->cheat_fd)) >+ return grub_error (GRUB_ERR_IO, N_("cannot open `%s': %s"), >+ dev->cheat, grub_util_fd_strerror ()); >++ >++ /* Use the sector size and count of the cheat device. */ >++ cheat_dev_size = grub_util_get_fd_size (dev->cheat_fd, dev->cheat, >&cheat_log_sector_size); >++ if (cheat_dev_size == -1) >++ { >++ const char *errmsg = grub_util_fd_strerror (); >++ grub_util_fd_close (dev->cheat_fd); >++ dev->cheat_fd = GRUB_UTIL_FD_INVALID; >++ return grub_error (GRUB_ERR_IO, N_("failed to query size of device >`%s': %s"), >++ dev->cheat, errmsg); >++ } >++ >++ dev->log_sector_size = cheat_log_sector_size; >++ dev->total_sectors = cheat_dev_size >> cheat_log_sector_size; >+ } >+ #endif >+ >+@@ -717,6 +732,7 @@ grub_cryptodisk_open (const char *name, >+ } >+ >+ disk->data = dev; >++ disk->log_sector_size = dev->log_sector_size; >+ disk->total_sectors = dev->total_sectors; >+ disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE; >+ disk->id = dev->id; >diff -Nru >grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch > >grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch >--- >grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch > 1970-01-01 01:00:00.000000000 +0100 >+++ >grub2-2.06/debian/patches/osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch > 2023-03-03 19:20:49.000000000 +0100 >@@ -0,0 +1,54 @@ >+From: Josselin Poiret <d...@jpoiret.xyz> >+Date: Thu, 12 Jan 2023 17:05:08 -0600 >+Subject: osdep/devmapper/getroot: Have devmapper recognize LUKS2 >+Origin: >https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9022a48dd9984fc3e90a5b42c3b5483d6061ccfb >+Bug-Debian: https://bugs.debian.org/1028301 >+ >+Changes UUID comparisons so that LUKS1 and LUKS2 are both recognized >+as being LUKS cryptodisks. >+ >+Signed-off-by: Josselin Poiret <d...@jpoiret.xyz> >+Tested-by: Glenn Washburn <developm...@efficientek.com> >+Reviewed-by: Patrick Steinhardt <p...@pks.im> >+Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> >+--- >+ grub-core/osdep/devmapper/getroot.c | 11 +++++++---- >+ 1 file changed, 7 insertions(+), 4 deletions(-) >+ >+--- a/grub-core/osdep/devmapper/getroot.c >++++ b/grub-core/osdep/devmapper/getroot.c >+@@ -143,7 +143,8 @@ grub_util_get_dm_abstraction (const char >+ grub_free (uuid); >+ return GRUB_DEV_ABSTRACTION_LVM; >+ } >+- if (strncmp (uuid, "CRYPT-LUKS1-", 12) == 0) >++ if (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0 >++ || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0) >+ { >+ grub_free (uuid); >+ return GRUB_DEV_ABSTRACTION_LUKS; >+@@ -184,7 +185,9 @@ grub_util_pull_devmapper (const char *os >+ grub_util_pull_device (subdev); >+ } >+ } >+- if (uuid && strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == >0 >++ if (uuid >++ && (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0 >++ || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == >0) >+ && lastsubdev) >+ { >+ char *grdev = grub_util_get_grub_dev (lastsubdev); >+@@ -258,11 +261,11 @@ grub_util_get_devmapper_grub_dev (const >+ { >+ char *dash; >+ >+- dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS1-") - 1, '-'); >++ dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS*-") - 1, '-'); >+ if (dash) >+ *dash = 0; >+ grub_dev = grub_xasprintf ("cryptouuid/%s", >+- uuid + sizeof ("CRYPT-LUKS1-") - 1); >++ uuid + sizeof ("CRYPT-LUKS*-") - 1); >+ grub_free (uuid); >+ return grub_dev; >+ } >diff -Nru >grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch > >grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch >--- >grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch > 1970-01-01 01:00:00.000000000 +0100 >+++ >grub2-2.06/debian/patches/osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch > 2023-03-03 19:21:28.000000000 +0100 >@@ -0,0 +1,154 @@ >+From: Josselin Poiret <d...@jpoiret.xyz> >+Date: Thu, 12 Jan 2023 17:05:09 -0600 >+Subject: osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from >+ DM parameters >+Origin: >https://git.savannah.gnu.org/cgit/grub.git/commit/?id=aa5172a55cfabdd0bed3161ad44fc228b9d019f7 >+Bug-Debian: https://bugs.debian.org/1028301 >+ >+This lets a LUKS2 cryptodisk have its cipher and hash filled out, >+otherwise they wouldn't be initialized if cheat mounted. >+ >+Signed-off-by: Josselin Poiret <d...@jpoiret.xyz> >+Tested-by: Glenn Washburn <developm...@efficientek.com> >+Reviewed-by: Patrick Steinhardt <p...@pks.im> >+Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> >+--- >+ grub-core/osdep/devmapper/getroot.c | 107 >+++++++++++++++++++++++++++++++++++- >+ 1 file changed, 106 insertions(+), 1 deletion(-) >+ >+diff --git a/grub-core/osdep/devmapper/getroot.c >b/grub-core/osdep/devmapper/getroot.c >+index 2bf4264..cc3f7da 100644 >+--- a/grub-core/osdep/devmapper/getroot.c >++++ b/grub-core/osdep/devmapper/getroot.c >+@@ -51,6 +51,8 @@ >+ #include <grub/emu/misc.h> >+ #include <grub/emu/hostdisk.h> >+ >++#include <grub/cryptodisk.h> >++ >+ static int >+ grub_util_open_dm (const char *os_dev, struct dm_tree **tree, >+ struct dm_tree_node **node) >+@@ -186,7 +188,6 @@ grub_util_pull_devmapper (const char *os_dev) >+ && lastsubdev) >+ { >+ char *grdev = grub_util_get_grub_dev (lastsubdev); >+- dm_tree_free (tree); >+ if (grdev) >+ { >+ grub_err_t err; >+@@ -194,7 +195,111 @@ grub_util_pull_devmapper (const char *os_dev) >+ if (err) >+ grub_util_error (_("can't mount encrypted volume `%s': %s"), >+ lastsubdev, grub_errmsg); >++ if (strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == >0) >++ { >++ /* >++ * Set LUKS2 cipher from dm parameters, since it is not >++ * possible to determine the correct one without >++ * unlocking, as there might be multiple segments. >++ */ >++ grub_disk_t source; >++ grub_cryptodisk_t cryptodisk; >++ grub_uint64_t start, length; >++ char *target_type; >++ char *params; >++ const char *name; >++ char *cipher, *cipher_mode; >++ struct dm_task *dmt; >++ char *seek_head, *c; >++ unsigned int remaining; >++ >++ source = grub_disk_open (grdev); >++ if (! source) >++ grub_util_error (_("cannot open grub disk `%s'"), grdev); >++ cryptodisk = grub_cryptodisk_get_by_source_disk (source); >++ if (! cryptodisk) >++ grub_util_error (_("cannot get cryptodisk from source disk >`%s'"), grdev); >++ grub_disk_close (source); >++ >++ /* >++ * The following function always returns a non-NULL pointer, >++ * but the string may be empty if the relevant info is not >present. >++ */ >++ name = dm_tree_node_get_name (node); >++ if (*name == '\0') >++ grub_util_error (_("cannot get dm node name for grub dev >`%s'"), grdev); >++ >++ grub_util_info ("populating parameters of cryptomount `%s' >from DM device `%s'", >++ uuid, name); >++ >++ dmt = dm_task_create (DM_DEVICE_TABLE); >++ if (dmt == NULL) >++ grub_util_error (_("can't create dm task DM_DEVICE_TABLE")); >++ if (dm_task_set_name (dmt, name) == 0) >++ grub_util_error (_("can't set dm task name to `%s'"), name); >++ if (dm_task_run (dmt) == 0) >++ grub_util_error (_("can't run dm task for `%s'"), name); >++ /* >++ * dm_get_next_target() doesn't have any error modes, >everything has >++ * been handled by dm_task_run(). >++ */ >++ dm_get_next_target (dmt, NULL, &start, &length, >++ &target_type, ¶ms); >++ if (strncmp (target_type, "crypt", sizeof ("crypt")) != 0) >++ grub_util_error (_("dm target of type `%s' is not `crypt'"), >target_type); >++ >++ /* >++ * The dm target parameters for dm-crypt are >++ * <cipher> <key> <iv_offset> <device path> <offset> >[<#opt_params> <opt_param1> ...] >++ */ >++ c = params; >++ remaining = grub_strlen (c); >++ >++ /* First, get the cipher name from the cipher. */ >++ seek_head = grub_memchr (c, '-', remaining); >++ if (seek_head == NULL) >++ grub_util_error (_("can't get cipher from dm-crypt >parameters `%s'"), >++ params); >++ cipher = grub_strndup (c, seek_head - c); >++ if (cipher == NULL) >++ grub_util_error (_("could not strndup cipher of length >`%lu'"), seek_head - c); >++ remaining -= seek_head - c + 1; >++ c = seek_head + 1; >++ >++ /* Now, the cipher mode. */ >++ seek_head = grub_memchr (c, ' ', remaining); >++ if (seek_head == NULL) >++ grub_util_error (_("can't get cipher mode from dm-crypt >parameters `%s'"), >++ params); >++ cipher_mode = grub_strndup (c, seek_head - c); >++ if (cipher_mode == NULL) >++ grub_util_error (_("could not strndup cipher_mode of length >`%lu'"), seek_head - c); >++ >++ remaining -= seek_head - c + 1; >++ c = seek_head + 1; >++ >++ err = grub_cryptodisk_setcipher (cryptodisk, cipher, >cipher_mode); >++ if (err) >++ grub_util_error (_("can't set cipher of cryptodisk `%s' to >`%s' with mode `%s'"), >++ uuid, cipher, cipher_mode); >++ >++ grub_free (cipher); >++ grub_free (cipher_mode); >++ >++ /* >++ * This is the only hash usable by PBKDF2, and we don't >++ * have Argon2 support yet, so set it by default, >++ * otherwise grub-probe would miss the required >++ * abstraction. >++ */ >++ cryptodisk->hash = grub_crypto_lookup_md_by_name ("sha256"); >++ if (cryptodisk->hash == NULL) >++ grub_util_error (_("can't lookup hash sha256 by name")); >++ >++ dm_task_destroy (dmt); >++ } >+ } >++ dm_tree_free (tree); >+ grub_free (grdev); >+ } >+ else >+-- >+cgit v1.1 >+ >diff -Nru grub2-2.06/debian/patches/series grub2-2.06/debian/patches/series >--- grub2-2.06/debian/patches/series 2023-02-25 21:09:36.000000000 +0100 >+++ grub2-2.06/debian/patches/series 2023-03-03 19:21:28.000000000 +0100 >@@ -115,3 +115,6 @@ > ignore_checksum_seed_incompat_feature.patch > ignore_the_large_dir_incompat_feature.patch > 987008-lvrename-boot-fail.patch >+disk-cryptodisk-when-cheatmounting-use-the-sector-info-of-the-cheat-device.patch >+osdep-devmapper-getroot-have-devmapper-recognize-luks2.patch >+osdep-devmapper-getroot-set-up-cheated-luks2-cryptodisk-mount-from-dm-parameters.patch -- Steve McIntyre, Cambridge, UK. st...@einval.com "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis
