Hi,
Jinesh Choksi <jinesh@onelittlehope.com> (2023-07-02):
> The issue is this block of code:
> https://salsa.debian.org/installer-team/partman-crypto/-/blob/master/check.d/crypto_check_mountpoints#L94-102
>
> This 17 year old "Check - Is there a /boot partition for encrypted
> root?" is no longer valid.
It is.
> Grub2 added support for accessing LUKS1 partitions in 2011 -
> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a251b71915e40194d12995dbac9efd787687f988
Sure, that's known, and there were two talks during Mini-DebConfs in
2019 about this and LUKS2 (Marseille, Hamburg).
> Grub2 support for LUK2 is also present but only for PBKDF2 keys -
> https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755
And since default LUKS2 settings are argon2id (argon2i previously), that
means that cannot work.
> For people who use LUKS1 to do full disk encryption, this "Check - Is
> there a /boot partition for encrypted root?" is a blocker in the
> Debian installer.
People finding their way to use LUKS1 instead of the default LUKS2 can
remove this check on their own.
> Dear maintainer(s), please review this bug report and remove this
> check.
Not until GRUB gets support for argon2i{d,}. And that's where my focus
is right now when it comes to d-i vs. LUKS.
PoC at https://salsa.debian.org/kibi/grub/-/commits/luks2-argon2-v0
but I have better plans to investigate.
Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature