Bug#927165: debian-installer: improve support for LUKS
Cyril Brulebois
kibi at debian.org
Mon Apr 15 22:24:19 BST 2019
Heya,
Guilhem Moulin <guilhem at debian.org> (2019-04-15):
> On Mon, 15 Apr 2019 at 21:40:35 +0200, Cyril Brulebois wrote:
> > There are also some other highlights in this changelog entry, regarding
> > key sizes, and some update to partman-crypto might be needed…
>
> GRUB stuff aside?
My point above was that there are a number of “keysize” occurrences in
partman-crypto[1] that might need to be adjusted for the new sizes in
cryptsetup.
1. https://salsa.debian.org/installer-team/partman-crypto
> AFAICT not, but FWIW we poked debian-boot to highlight the changes
> when 2.1.0 entered unstable two months ago:
>
> https://lists.debian.org/debian-boot/2019/02/msg00100.html
>
> Yup that was quite late in the release cycle, sorry for that.
> Formatting new devices to LUKS2 by default was discussed since the
> summer, and 2.1 was originally planned for late 2018. In the end it
> was released 2 months later, but since we had this discussion before
> we thought we had d-i's blessing here regarding LUKS2, and uploaded to
> sid just before the freeze:
>
> https://salsa.debian.org/installer-team/partman-crypto/merge_requests/1
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919725
Well, even if that's outside the full freeze, I wasn't exactly expecting
a change of that importance to happen a couple of weeks before… Unless I
missed something, MRs only trigger notifications to people involved with
the actual MR or those who are mentioned in there.
I'm also immensely grateful for all the security-related work Matthew
Garrett puts everywhere he goes, but I'm not sure that MR qualifies as
“requested by d-i [0]” as you mentioned in [2].
2. https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html
Regarding the mail you sent to debian-boot@ (which is of course much
appreciated!), that's still happening after the fact (the package is
already in the archive), and there's only a couple of days to react
before it reaches testing (barring any RC/transition-induced issues).
And while I cannot personally guarantee I'm going to spot all mails that
need action/reaction on the mailing list, something like a mention of
this GRUB limitation[3] (apparently documented since late 2018) might
have peaked somebody's interest back then and could have triggered some
feedback from someone else…
3. https://savannah.gnu.org/bugs/?55093
> > One could argue that cryptodisk support has never been supported by
> > d-i anyway,
>
> Yup, and I suppose that's why I overlooked this in my mail to
> debian-boot :-P Jonathan Carter had a similar report last week
>
> https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008196.html
While I'm usually fine to dismiss some bug reports as “it's unsupported,
sorry”, making users' life harder doesn't seem really reasonable… :/
> Should have poked debian-boot immediately, apologies for not doing so
> :-( Until GRUB unlocking is supported in d-i [#849400] I'd say it's
> enough to document the change and make the LUKS version configurable
> (from an expert prompt or preseed.cfg).
>
> > And for those who would wonder: It seems that LUKS2 brings some
> > interesting features on the security front, so it doesn't seem really
> > reasonable to stick to LUKS1 unconditionally.
>
> Agreed, for the reasons mentioned in my reply to Jonathan:
>
> https://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/2019-April/008199.html
>
> (first paragraph).
Thanks for the pointer and those details; to be fair, I wanted to
concentrate back on the release process and thought they would likely be
mentioned magically on this bug report while I was busy pushing the
release announcement. :)
Time for some rest here. I've added the “LUKS version configurability”
topic to my list of urgent d-i issues, and I'll try to get that done
soon.
Thanks again for the feedback!
Cheers,
--
Cyril Brulebois (kibi at debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20190415/7a1b4d84/attachment.sig>
More information about the Pkg-grub-devel
mailing list