Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stage-1: Add interactive LUKS decrypting #234

merged 16 commits into from Nov 8, 2020


Copy link

@samueldr samueldr commented Nov 1, 2020

This builds upon #233, soon-to-be merged.

This adds the required facilities for asking for the passphrase during the boot progress tracking


In addition to a test system made specifically to test that the unlocking works.

Note that there is no automatic way to get encryption going on your device yet. This is for something further along. For the time being, you will have to manually configure your stage-1 to know about the cryptsetup setup for your device. In addition, you will have to handle cryptsetup reencrypt yourself on your device. (Check the testing system, there may be clues, e.g. using 32MB for resize.)

I will, at some point, add documentation about manually encrypting a device, but that will happen once I have done it and tested it. Though the steps are quite obvious: (1) somehow get cryptsetup reencrypt going on your rootfs (2) update stage-1 with a build that knows about the encryption.

The plan is to, instead, make a specialized "installer" boot.img (stage-1 only system) that would know about that, but this is strictly for the future.

@samueldr samueldr marked this pull request as draft November 1, 2020 22:21
@samueldr samueldr added topic: stage-1 stage-1, boot, init type: enhancement New feature or request labels Nov 1, 2020
@samueldr samueldr marked this pull request as ready for review November 7, 2020 21:14
They will, at some point, be promoted into LVGUI. For the time being
they are local as they have only been verified to work in a useful
manner for this limited use case.
The following commit will plug it into the messages queue.
For now, extremely assumed to be passphrase input.
These changes implement the different protocol changes.
This way we really only update the current state bit we want to affect.
With the same tooling we will be able to ask for a throbber or some
other kind of work indicator.
Copy link
Member Author

samueldr commented Nov 8, 2020

In addition to the VM, tested on-device with a Pinephone.

Sadly, no instructions to setup, this was all done manually in a bad way; more work is expected later for installing.

The quick notes is: prepare a custom initrd with cryptsetup and full utillinux, partition the eMMC as you would like, flash a system with a custom configuration. You might also want to use JumpDrive instead of a custom initrd, but my pinephone has issues with USB.

@samueldr samueldr merged commit 63d49f5 into NixOS:master Nov 8, 2020
@samueldr samueldr deleted the feature/stage-1-passphrase branch November 8, 2020 01:10
@mhuesch mhuesch mentioned this pull request Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
topic: stage-1 stage-1, boot, init type: enhancement New feature or request
None yet

Successfully merging this pull request may close these issues.

None yet

1 participant