From adce91a3ec0cb2912daa6eefe9324c15ff3126f7 Mon Sep 17 00:00:00 2001 From: Josselin Poiret Date: Mon, 15 Nov 2021 20:53:39 +0000 Subject: [PATCH] gnu: system: Add LUKS2 support for the root file system. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/bootloader/grub.scm (grub-configuration-file): Add 'insmod luks2'. * gnu/system/mapped-devices.scm (open-luks-device): Create '/run/cryptsetup/' directory. Signed-off-by: Ludovic Courtès --- gnu/bootloader/grub.scm | 3 +-- gnu/system/mapped-devices.scm | 10 ++++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index d8e888ff40..42f71aa4db 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -415,8 +415,7 @@ (define (crypto-device->cryptomount dev) ;; Other type of devices aren't implemented. #~())) (let ((devices (map crypto-device->cryptomount store-crypto-devices)) - ;; XXX: Add luks2 when grub 2.06 is packaged. - (modules #~(format port "insmod luks~%"))) + (modules #~(format port "insmod luks~%insmod luks2~%"))) (if (null? devices) devices (cons modules devices)))) diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 518dbc4fe8..96a381d5fe 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -192,7 +192,8 @@ (define (open-luks-device source targets) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure - '((gnu build file-systems))) + '((gnu build file-systems) + (guix build utils))) ;; For mkdir-p (match targets ((target) #~(let ((source #$(if (uuid? source) @@ -201,7 +202,12 @@ (define (open-luks-device source targets) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) - #:select (find-partition-by-luks-uuid))) + #:select (find-partition-by-luks-uuid)) + ((guix build utils) #:select (mkdir-p))) + + ;; Create '/run/cryptsetup/' if it does not exist, as device locking + ;; is mandatory for LUKS2. + (mkdir-p "/run/cryptsetup/") ;; Use 'cryptsetup-static', not 'cryptsetup', to avoid pulling the ;; whole world inside the initrd (for when we're in an initrd).