Received: from out0.migadu.com (out0.migadu.com [94.23.1.103])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 7EAA9782C0D
	for <~alpine/devel@lists.alpinelinux.org>; Tue, 10 Aug 2021 15:08:43 +0000 (UTC)
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krystianch.com;
	s=key1; t=1628608120;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:  in-reply-to:in-reply-to;
	bh=hZw7VsPDcCf4wk1n/9C8Fzqc8rVnglkVOkvJCGk8j98=;
	b=SzB39GGLKa4cySkP5ChIhKUcXM1WwLl4eWMXAf9LT87HVQkGpJVivtExIihSXFZsHKgTdD
	HgDROb/DRCUe1SWM//8avjS84W//A+CUw9yOGQsjkD7GPkY/sD+4sY2DPJioLzo3L/xVRd
	R023eSQYusVYSIsKI2Pt1OAFKwVqaOKmHF/vXxOg0+CVRfNU3iidYnOdZ200pgK+cc0Bi4
	ZrNyThMuVDOjh+gBKmji72Xb7f8crKzxJ99zu9gYAulWgCR/6prjG62qZ7j95HUJhWYkCO
	KP0c943+4Ceu43fZOU6l2Z6iTYJvvPG6l7BzuaZRBV3tWUYFxf/Y+fnyJjEtog==
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PATCH v7] Support encrypted root in setup-disk
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: =?utf-8?q?Krystian_Chachu=C5=82a?= <krystian@krystianch.com>
To: "Alex Denes" <caskd@redxen.eu>
Cc: <~alpine/devel@lists.alpinelinux.org>, "Drew DeVault" <sir@cmpwn.com>
Date: Tue, 10 Aug 2021 16:48:28 +0200
Message-Id: <CDFWYT17QS47.16RM78ZUL0B26@userpc>
In-Reply-To: <23ERVP4T61ES0.38UZHUML8X76T@unix.is.love.unix.is.life>
X-Migadu-Flow: FLOW_OUT
X-Migadu-Auth-User: krystian@krystianch.com

Thanks for the review.

On Mon Aug 9, 2021 at 1:07 PM CEST, Alex Denes wrote:
> GRUB has recently added support for luks2 but the mkimage wrapper
> doesn't include the required modules so the support is not as automated
> as it should be.
> I would instead go for a encrypted root with a unencrypted /boot to
> avoid using luks1 for everything and it would simplify the setup. This
> is not "full-disk" encryption as one would want but it doesn't have the
> limitation that luks1 has.

Ok, this seems reasonable to me. I'll modify the mount point so that in the
case of GRUB with EFI we have unencrypted /boot.
It will be similar to current behavior when choosing syslinux.

Maybe in the meantime we'll get some more opinions on this issue.

> A temporary symlink could work for this instead of making a full copy.
> Alternatively, a change of root would work as well but that requires
> setting up the chroot so that grub-install has the required paths.

This workaround is not needed if /boot is unencrypted.

> > +	cryptsetup open "$dev" "$dmname" >&2
> > +	echo "/dev/mapper/$dmname"
> I would check that the device is unlocked properly here and if not,
> prompt for a retry.

Is this really needed? cryptsetup open prompts for a retry when it fails.