Bug#927165: debian-installer: improve support for LUKS

Cyril Brulebois kibi at debian.org
Mon Apr 15 22:24:19 BST 2019


Heya,

Guilhem Moulin <guilhem at debian.org> (2019-04-15):
> On Mon, 15 Apr 2019 at 21:40:35 +0200, Cyril Brulebois wrote:
> > There are also some other highlights in this changelog entry, regarding
> > key sizes, and some update to partman-crypto might be needed…
> 
> GRUB stuff aside?

My point above was that there are a number of “keysize” occurrences in
partman-crypto[1] that might need to be adjusted for the new sizes in
cryptsetup.

 1. https://salsa.debian.org/installer-team/partman-crypto

> AFAICT not, but FWIW we poked debian-boot to highlight the changes
> when 2.1.0 entered unstable two months ago:
> 
>     https://lists.debian.org/debian-boot/2019/02/msg00100.html
> 
> Yup that was quite late in the release cycle, sorry for that.
> Formatting new devices to LUKS2 by default was discussed since the
> summer, and 2.1 was originally planned for late 2018.  In the end it
> was released 2 months later, but since we had this discussion before
> we thought we had d-i's blessing here regarding LUKS2, and uploaded to
> sid just before the freeze:
> 
>     https://salsa.debian.org/installer-team/partman-crypto/merge_requests/1
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919725

Well, even if that's outside the full freeze, I wasn't exactly expecting
a change of that importance to happen a couple of weeks before… Unless I
missed something, MRs only trigger notifications to people involved with
the actual MR or those who are mentioned in there.

I'm also immensely grateful for all the security-related work Matthew
Garrett puts everywhere he goes, but I'm not sure that MR qualifies as
“requested by d-i [0]” as you mentioned in [2].

 2. https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html

Regarding the mail you sent to debian-boot@ (which is of course much
appreciated!), that's still happening after the fact (the package is
already in the archive), and there's only a couple of days to react
before it reaches testing (barring any RC/transition-induced issues).

And while I cannot personally guarantee I'm going to spot all mails that
need action/reaction on the mailing list, something like a mention of
this GRUB limitation[3] (apparently documented since late 2018) might
have peaked somebody's interest back then and could have triggered some
feedback from someone else…

 3. https://savannah.gnu.org/bugs/?55093

> > One could argue that cryptodisk support has never been supported by
> > d-i anyway,
> 
> Yup, and I suppose that's why I overlooked this in my mail to
> debian-boot :-P  Jonathan Carter had a similar report last week
> 
>     https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008196.html

While I'm usually fine to dismiss some bug reports as “it's unsupported,
sorry”, making users' life harder doesn't seem really reasonable… :/

> Should have poked debian-boot immediately, apologies for not doing so
> :-(  Until GRUB unlocking is supported in d-i [#849400] I'd say it's
> enough to document the change and make the LUKS version configurable
> (from an expert prompt or preseed.cfg).
> 
> > And for those who would wonder: It seems that LUKS2 brings some
> > interesting features on the security front, so it doesn't seem really
> > reasonable to stick to LUKS1 unconditionally.
> 
> Agreed, for the reasons mentioned in my reply to Jonathan:
> 
>     https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html
> 
> (first paragraph).

Thanks for the pointer and those details; to be fair, I wanted to
concentrate back on the release process and thought they would likely be
mentioned magically on this bug report while I was busy pushing the
release announcement. :)

Time for some rest here. I've added the “LUKS version configurability”
topic to my list of urgent d-i issues, and I'll try to get that done
soon.


Thanks again for the feedback!


Cheers,
-- 
Cyril Brulebois (kibi at debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20190415/7a1b4d84/attachment.sig>


More information about the Pkg-grub-devel mailing list