[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927165: marked as done (debian-installer: improve support for LUKS)

Your message dated Sun, 29 Dec 2019 22:06:03 +0000
with message-id <E1ilghH-000EYr-Gd@fasolo.debian.org>
and subject line Bug#927165: fixed in installation-guide 20191229
has caused the Debian Bug report #927165,
regarding debian-installer: improve support for LUKS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

927165: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927165
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debian-installer
Version: 20190410
Severity: important

[ Copy sent to grub2 and cryptsetup maintainers, in addition to
debian-boot@ who maintains debian-installer; please keep everyone in
copy when answering. ]

This bug report serves as an entry point from the d-i errata page[1].
It is likely that some topics discussed below will be split into their
own separate bug reports.

 1. https://www.debian.org/devel/debian-installer/errata

In version 2:2.1.0-1, cryptsetup change the default on-disk LUKS format
from luks1 to luks2[2].

 2. https://tracker.debian.org/news/1028794/accepted-cryptsetup-2210-1-source-into-unstable/

There are also some other highlights in this changelog entry, regarding
key sizes, and some update to partman-crypto might be needed…

Some direct consequences of this default format change:
 - slightly anecdotal: stretch's d-i cannot rescue an encrypted buster
   system, as it doesn't know how to deal with this format;
 - but more worrisome: grub currently has no support for LUKS2. This
   means that users who want to use GRUB_ENABLE_CRYPTODISK and avoid a
   separate, unencrypted /boot, won't be able to do so…

I've only learned about this today, thanks to Colin Watson who brought
it up when I was asking for feedback when preparing D-I Buster RC 1.

Now the question is: What can be done in time for buster?

 - It seems unlikely to have LUKS2 code ready for grub.
 - It should be feasible to add an option to force LUKS1 when
   installing. Having a question asked in expert mode should do the
   trick, and one could preseed that setting from the kernel command
   line to avoid having to use expert mode all the way.
 - We should probably document (e.g. in the installation guide and/or
   crossreferenced from release notes) the “GRUB_ENABLE_CRYPTODISK vs.
   LUKS2” incompatibility and the above setting once it's implemented.

One could argue that cryptodisk support has never been supported by d-i
anyway, but some users seem to have grown their own tricks/recipes to
install with this feature anyway, so we really need to try our best to
get that documented at the very least, and to have some workaround put
in place.

And for those who would wonder: It seems that LUKS2 brings some
interesting features on the security front, so it doesn't seem really
reasonable to stick to LUKS1 unconditionally.

Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

--- End Message ---
--- Begin Message ---
Source: installation-guide
Source-Version: 20191229

We believe that the bug you reported is fixed in the latest version of
installation-guide, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Samuel Thibault <sthibault@debian.org> (supplier of updated installation-guide package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Sun, 29 Dec 2019 22:14:34 +0100
Source: installation-guide
Binary: installation-guide-amd64 installation-guide-arm64 installation-guide-armel installation-guide-armhf installation-guide-i386 installation-guide-mips installation-guide-mips64el installation-guide-mipsel installation-guide-ppc64el installation-guide-s390x
Architecture: source all
Version: 20191229
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
 installation-guide-amd64 - Debian installation guide for amd64
 installation-guide-arm64 - Debian installation guide for arm64
 installation-guide-armel - Debian installation guide for armel
 installation-guide-armhf - Debian installation guide for armhf
 installation-guide-i386 - Debian installation guide for i386
 installation-guide-mips - Debian installation guide for mips
 installation-guide-mips64el - Debian installation guide for mips64el
 installation-guide-mipsel - Debian installation guide for mipsel
 installation-guide-ppc64el - Debian installation guide for powerpc
 installation-guide-s390x - Debian installation guide for s390x
Closes: 414194 794936 913389 927165 927987 929752 930476 932284 935069
 installation-guide (20191229) unstable; urgency=medium
   [ Guilhem Moulin ]
   * Add link to a guide/document for encrypted /boot. Closes: #927165
   [ Holger Wansing ]
   * Remove 'outdated translation' warning for Greek, is now fully translated.
   * Convert Czech translation from xml to po format.
   * Use <quote> </quote> tags for quotes. Closes: #929752
   * Updating chapter for choosing a network mirror. Closes: #913389
   * Updating chapter about setting up the e-mail system (exim4 is no longer
     installed by default). Closes: #930476
   * Update for 'Recommended partitioning scheme' chapter. Closes: #927987
   * Rename mdcfg into partman-md and lvmcfg into partman-lvm. Closes: #414194
   * Remove mentions of floppy. Thanks to Miguel Figueiredo for the patch.
     Closes: #935069
   * Change CD/DVD etc. into 'installation media' or 'installation image' as
     cover-term, where applicable. Closes: #794936
   * Bump release name to bullseye.
   * Remove trailing whitespaces from changelog file, to fix lintian tag.
   * Update sources.list lines for security updates according to new notation.
   [ Moritz Muehlenhoff ]
   * Update doc for apt-setup/localX/key preseeding config. Closes: #932284
   [ Samuel Thibault ]
   * Fix shortcut for high-contrast boot menu entry.
   * Bump minimum memory values: graphical installation needs 1GiB, and only
     the non-graphical installer can meet the no-desktop values.
   * rules: Use dh_prep instead of dh_clean -k.
   [ Updated translations ]
   * French by Baptiste Jammet
   * German by Holger Wansing
   * Greek by Emmanuel Galatoulas
   * Italian by Luca Monducci
   * Korean by Changwoo Ryu
   * Norwegian Bokmål by Allan Nordhøy
   * Portuguese by Miguel Figueiredo
   * Swedish by Mattias Münster
   * Spanish by Javier Fernandez-Sanguino Peña and Robert Schneider
   * Dutch by Frans Spiesschaert
 0e799e1f9399f834ff93c6635207701ac3331a99 2907 installation-guide_20191229.dsc
 c627dead540595fbc0f3cf8af314c26adc84a81a 3739376 installation-guide_20191229.tar.xz
 abe5a11e83e245744c69a15da563d907a44fea33 17013612 installation-guide-amd64_20191229_all.deb
 cfd65ecb3fa356f8f93a041769472bae9db7769c 15550876 installation-guide-arm64_20191229_all.deb
 348c0431b3b0edb903a0814a47c9ff65841d3e46 15227096 installation-guide-armel_20191229_all.deb
 f28b92bd86a6cd2c67a847b65b38a6e525b90511 15647580 installation-guide-armhf_20191229_all.deb
 b7400eab6534e40d927e9f70781ad8a2daec73b9 17061224 installation-guide-i386_20191229_all.deb
 f2ac663c09f107ad160e53bc0e398323c1ba166e 14694076 installation-guide-mips64el_20191229_all.deb
 cf851a94647504aeafa09b5cb3db49730fe9ea97 14676124 installation-guide-mips_20191229_all.deb
 7535cddb3922be626c769a471ea8ad6fc56d1f43 14696632 installation-guide-mipsel_20191229_all.deb
 715fd111986a8b32ca8d3b8d17e635149d185201 14984796 installation-guide-ppc64el_20191229_all.deb
 1d69692632681adecb687c8e24e34cd255a9d006 13528916 installation-guide-s390x_20191229_all.deb
 60c0e9a73d2205b9dfe0c07f61025eaeffbb00b7 15247 installation-guide_20191229_amd64.buildinfo
 000f9377ae74631d508792d98c0e4a9045f3487df08821bf10afc62d5ecb9ad7 2907 installation-guide_20191229.dsc
 d21a29d771edc789a9cae90cc1e8a3383cb69f172628872b8d4288deaf788370 3739376 installation-guide_20191229.tar.xz
 12273d879fdb3954914142a0e48a8497a248f89ef75c8945d9b4e4ef3bb28d56 17013612 installation-guide-amd64_20191229_all.deb
 ed0f663360ba6ca6998353ae21a4c8d784214f7e2a76263ed59ed8af3de4ece7 15550876 installation-guide-arm64_20191229_all.deb
 d03380a9da527e946f82a84033ee13a02c4b58ca34f5778cb8b4d47843941b17 15227096 installation-guide-armel_20191229_all.deb
 25d3481533e311e653866c0f2bac129198b1e298a12be7908a8cf746d5665dff 15647580 installation-guide-armhf_20191229_all.deb
 b83c3489a01133cb912c46c9da444261cd56184c0ef4481b9974e06d69e786fb 17061224 installation-guide-i386_20191229_all.deb
 167618064d7ece991e387b52e5f9e53c990c35bcc37a3107c70c9a363be8044c 14694076 installation-guide-mips64el_20191229_all.deb
 a80b14e447aed4ab1a709029b839343ac5e5e77392806a502e1bf8352d664dab 14676124 installation-guide-mips_20191229_all.deb
 493aa5e21f1899d1c842ca04ecf3248dfe405a7fed3a364e345ad4ba10c65002 14696632 installation-guide-mipsel_20191229_all.deb
 7d0b0b43d17c5ba2e5b4283ba2ed375ebebc3867a7fee6ae0d861dcadc4bca37 14984796 installation-guide-ppc64el_20191229_all.deb
 7df0acdc983efe112f1565ca31854da340f2700486e7eb8f40e3dd4e5372bb29 13528916 installation-guide-s390x_20191229_all.deb
 d167ef3eea9ee433415223432f6de67c2631a04ea146bfdfc2b660029b4051d5 15247 installation-guide_20191229_amd64.buildinfo
 294a23c0d61f072e815bf610af5c3206 2907 doc optional installation-guide_20191229.dsc
 bb41b7024de79d00e1027559f7dd41ef 3739376 doc optional installation-guide_20191229.tar.xz
 b016839c31aa2dc76febdfdf0ed0c571 17013612 doc optional installation-guide-amd64_20191229_all.deb
 a38d1fec62bc382f8c9406f8f03b93be 15550876 doc optional installation-guide-arm64_20191229_all.deb
 bf79be3f7869c1d117332a86db1888fe 15227096 doc optional installation-guide-armel_20191229_all.deb
 f215dab5e9bb0d2c244a90c87af92977 15647580 doc optional installation-guide-armhf_20191229_all.deb
 cdeffcd70cd1e5295261f2be38c49d0a 17061224 doc optional installation-guide-i386_20191229_all.deb
 55f6c63e0bab8c71ba2facbf6f9c2385 14694076 doc optional installation-guide-mips64el_20191229_all.deb
 a6e9887c2abfe04a19260943723c8ff0 14676124 doc optional installation-guide-mips_20191229_all.deb
 55a8957cf4811699b873a3695463bfff 14696632 doc optional installation-guide-mipsel_20191229_all.deb
 b428eebcc5dc2424b716ec9c01b07481 14984796 doc optional installation-guide-ppc64el_20191229_all.deb
 56582d722236b11a01d59040491c401e 13528916 doc optional installation-guide-s390x_20191229_all.deb
 7eecd3fb0a823cdf044df5ac2508cdcc 15247 doc optional installation-guide_20191229_amd64.buildinfo



--- End Message ---

Reply to: