New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cryptsetup: 1.7.5 -> 2.0.2 #38382
cryptsetup: 1.7.5 -> 2.0.2 #38382
Conversation
@GrahamcOfBorg build cryptsetup |
Success on x86_64-linux (full log) Attempted: cryptsetup Partial log (click to expand)
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: cryptsetup Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: cryptsetup Partial log (click to expand)
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: cryptsetup Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: cryptsetup Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: cryptsetup Partial log (click to expand)
|
I recall there were some patches needed for compatibility but not sure what the package was. |
Oh, right that was https://pagure.io/volume_key/c/ecef526a51c5a276681472fd6df239570c9ce518?branch=master and I am already applying it in #35551 |
Hi! I tried to use this patch to boot a nixos installed in a a LUKS2 encrypted device, but couldn't make it work. Appearently when running cryptsetup 2 from the initrd image to mount LUKS2 devices doesn't work. I'm not sure if this should be discused here, so ping me if you want more information about the bug. |
I only use this for LUKS encrypted offline storage on some thumb drives, and this has worked for me for the past 2 weeks perfectly. |
supersedes NixOS#35551 closes NixOS#34999 /cc NixOS#38382
@sh4r3m4n Please tell more about the bug. |
@yegortimoshenko: I had to modify the cryptsetup derivation in order to boot from a LUKS2 partition. I had to make two important changes to the pull request patch
After this two fixes I was able to boot with LVM inside a LUKS 2 device Here is my custom version of the cryptsetup derivation: ({ stdenv, fetchurl, devicemapper, json_c, openssl, libuuid, pkgconfig, popt
, enablePython ? false, python2 ? null, ...
}:
assert enablePython -> python2 != null;
stdenv.mkDerivation rec {
name = "cryptsetup-2.0.2";
NIX_LDFLAGS = "-lgcc_s";
src = fetchurl {
url = "mirror://kernel/linux/utils/cryptsetup/v2.0/${name}.tar.xz";
sha256 = "15wyjfgcqjf0wy5gxnmjj8aah33csv5v6n1hv9c8sxdzygbhb0ag";
};
configureFlags = [ "--enable-cryptsetup-reencrypt" "--with-crypto_backend=openssl" "--disable-kernel_crypto"]
++ stdenv.lib.optional enablePython "--enable-python";
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ devicemapper json_c openssl libuuid popt ]
++ stdenv.lib.optional enablePython python2;
meta = {
homepage = https://gitlab.com/cryptsetup/cryptsetup/;
description = "LUKS for dm-crypt";
license = stdenv.lib.licenses.gpl2;
maintainers = with stdenv.lib.maintainers; [ viric chaoflow ];
platforms = with stdenv.lib.platforms; linux;
};
}) (import <nixpkgs> {}) |
@sh4r3m4n Thank you a lot! Hopefully will be able to commit updated cryptsetup to the tree this week. |
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: cryptsetup Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: cryptsetup Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: cryptsetup Partial log (click to expand)
|
NIX_LDFLAGS = "-lgcc_s"; | ||
|
||
configureFlags = [ | ||
"--disable-kernel_crypto" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why disable kernel crypto? I tried and cryptsetup builds fine without this flag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it doesn't seem to be available in initrd image, see #38382 (comment).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Is this setting likely to hurt performance of the encrypted disks? If yes, it might be better to add the missing module(s) to initrd at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It likely will hurt performance. I agree that adding missing modules to initrd
would be preferable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest to merge this now anyway, observe the effects and optimize later if needed. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is long overdue, so yes. I've opened #42163 to track this issue.
This change broke |
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)