-
Notifications
You must be signed in to change notification settings - Fork 389
-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add checkbox to not encrypt /boot in GUI #1938
Comments
Please draw a suggestion -- screenshotted from Calamares, and then edited with Kolourpaint, or MSPaint, or whatever, showing where you think such a checkbox would fit. |
Other text suggestions: "Not encrypting /boot makes the master-key decryption more user friendly and faster, but makes the kernel vulnerable for malicious modification if physical access to the device is given" (I think the kernel is in /boot, right?) "Not encrypting /boot makes the system decrypt the master key faster, but /boot will be vulnerable if physically accessed" |
The following patch is not a toggle, however it does disable /boot and swap from being encrypted, enables btrfs as the default, adds a 1gb ext4 boot partition, configures the remaining space as a btrfs partition, and sets "" for the root subvolume (essentially allowing usage with snapper). This more or less aligns with Fedora's default Anaconda installation using btrfs (+ encryption), and while boot and swap are not encrypted, this achieves the nice plymouth password gui rather than forcing the grub prompt. The only difference between this and Fedora is that (1) Fedora creates subvolumes for root (/) and home (/home) by default. Those would look something like this in modules/mount.conf:
(2) Fedora does not apply any swap by default because the Fedora-shipped kernel already enables zswap: https://fedoraproject.org/wiki/Changes/Scale_ZRAM_to_full_memory_size Therefor if swap is enabled in the installer, you end up with two swaps, one for zswap, one for the configured swap. If you don't want to allow swap options you can set these in modules/partition.conf (# means to comment these lines):
PatchFrom 7c4ab9c633232f161de3f43abc95cebbe7a7db52 Mon Sep 17 00:00:00 2001 From: Thomas Crider Date: Mon, 21 Nov 2022 22:46:50 -0500 Subject: [PATCH 3/3] Apply Fedora Btrfs encryption defaultssrc/modules/mount/mount.conf | 13 ++----- diff --git a/src/modules/mount/mount.conf b/src/modules/mount/mount.conf for root.btrfsSubvolumes:
diff --git a/src/modules/partition/core/PartitionActions.cpp b/src/modules/partition/core/PartitionActions.cpp
diff --git a/src/modules/partition/core/PartitionLayout.cpp b/src/modules/partition/core/PartitionLayout.cpp
diff --git a/src/modules/partition/partition.conf b/src/modules/partition/partition.conf 300MiB is the default, M is treated as MiB, and if you really wantone-million (10^6) bytes, use MB.-# efiSystemPartitionSize: 300M This optional setting specifies the name of the EFI system partition (seePARTLABEL; gpt only; requires KPMCore >= 4.2.0).@@ -65,7 +65,7 @@ efiSystemPartition: "/boot/efi" Correctly draw nested (e.g. logical) partitions as such.-drawNestedPartitions: false Show/hide partition labels on manual partitioning page.alwaysShowPartitionLabels: true If nothing is specified, Calamares defaults to "ext4".Names are case-sensitive and defined by KPMCore.-defaultFileSystemType: "ext4" Selectable filesystem type, used when "erase" is done.@@ -253,3 +253,14 @@ defaultFileSystemType: "ext4" the welcome module, and configure this value in
|
This would be an extremely useful feature for Lubuntu and Kubuntu, especially if we could set a configuration option in the distro config that just enforced that /boot is always unencrypted. Lubuntu has been warned by someone from Canonical that the use of encrypted /boot uses code paths in GRUB that are unsupported and could be a security risk. I'll probably help add this feature if possible, is this something the Calamares devs are still interested in having if someone's willing to put in the elbow grease to make it happen? |
Contributions are always welcome. I think the question would be how to do it in an elegant way. I guess if it is about Erase disk, Replace Partition or Install Alongside it could be done by adding an element in Manual partitioning I guess we could disable the encryption checkbox with a message explaining why it was disabled? That would allow the distro to choose if It would still require the user to use manual partitioning if the distro allowed it but they didn't want it encrypted but I think that is OK. |
IMO one good way to do it might be to use the same UI as the second screenshot @sezanzeb posted. But then additionally, in |
Honestly, I think that is too confusing for most users. The average user will not know what to choose there. Also, encrypting On the other hand, if it is a distro choice, that makes it simpler and there is no reason to offer an additional option there. |
I like that idea a lot. It's already possible to set up unencrypted /boot via manual partitioning, so just adding the distro option should be sufficient. I'll work on getting that added. Any advice on what the option's name should be and what module it belongs in? I liked the idea of |
I don't think it needs to be limited to In |
Just to be sure (I can find this out myself but I figure you already know the answer to this), the current default behavior of Calamares is to encrypt all partitions listed in |
It excludes the ESP, mounted at |
Perfect. If all goes according to plan, I'll probably have a PR tomorrow with a |
Had a ton of work today and didn't manage to hardly get any time to work on this, but I made some progress. Going to try again tomorrow I guess. |
Another aspect of this issue I didn't think of until trying to implement this is, if a distro specifies a custom partition layout using |
Does Ubuntu have a separate Either way, I would probably treat that as a separate problem. That may be a bit tricky to deal with since luks isn't the only supported encryption method. We also have zfs encryption supported. |
Correct, Ubuntu only has a separate /boot partition when LUKS is enabled.
It also currently doesn't support ZFS encryption in any installer
that I'm aware of, though that's no reason Lubuntu and Kubuntu need to not
support it. I agree that this is a separate problem, but I can always just
do two commits and PR them at the same time. I can even open a separate
feature request about this if it would help everyone keep track better.
This raises a second question - does Calamares try to create all partitions
specified in the layout when doing an "install alongside" operation? Or
does it only create one partition in that instance? If the former, what
happens when doing a "replace partition" operation? I'm assuming (since the
documentation is a bit unclear here) that Calamares will try to create all
partitions specified in the layout, and I can see that having strange
effects for multi-boot system users since they'll end up with a slew of
extra /boot partitions.
I'll take a closer look at the ZFS encryption code and see how that works.
It appears that from a LUKS standpoint ZFS partitions are treated as
unencrypted no matter what and then some deeper part of the code enables
ZFS encryption at the right time. I don't see how that would conflict with
having the "Encrypt system" checkbox also switch to a second partition
layout that the distro uses only on encrypted systems.
|
Yes. It uses the same layout for alongside, entire disk and replace partition.
Is there another option here? You can't really share
The challenge is that since zfs is different than luks you might not want to use the luks layout. |
Right, thus why it might be nice to have different layout types. That being said, it might not be the end of the world. I'll bring it up to the teams I'm a part of and see what they think.
On top of that you also have the possibility of people mixing ZFS and non-ZFS partitions on the same disk potentially (though hopefully that would be rare). I think for now I'll just submit the "make encryption optional in a partition layout" patch and then possibly do a downstream patch for adjusting partition layouts based on whether encryption is enabled or not, if that's even desirable (which it might not be). |
I looked some more at partition.conf, and I'm not sure I can see what
you mean about not wanting the LUKS layout when zfs is in use.
Calamares just puts ZFS inside partitions like any other filesystem,
right? And it appears from ZfsJob.cpp that ZFS encryption is
implemented by simply passing the right flags to the zpool command. If
someone wants one partition layout when unencrypted, and another one
when encrypted, I don't see why the use of a different encryption
backend would mean that the partition layout for encryption would be
wrong. The point of an alternate partition layout would be so that if
the unreadable nature of an encrypted partition messed with things,
that can be worked around.
The main reason I want something like this is because "Replace a
partition" will behave poorly if a /boot partition is always made and
the user is in the habit of reinstalling their system using it. In
Lubuntu, we have at least one prominent tester who frequently
"refreshes" their machines by using the "replace partition" feature on
an existing Lubuntu partition. If we make an extra /boot partition
every time, then an extra /boot partition will be made on every
reinstall, meaning that after, say, five reinstalls, you'd have four
obsolete /boot partitions and only one useful one. Fixing that would
require a lengthy and disk-intensive process of deleting the spare
/boot partitions and moving the used /boot and root partitions to the
start of the disk.
Another option could be to allow specifying different layouts for
unencrypted, encrypted, and encrypted-with-ZFS-in-use.
|
But what causes problems with luks and what causes problems with zfs aren't the same.
But that has nothing to do with encryption, right? You can encrypt in replace partition as well. From a distro perspective, it seems very strange to me that the result of the installation would be different if you choose replace vs entire disk. I don't think most users would be expecting that they wouldn't get a
This seems like a really narrow use case. Couldn't you educate that person to delete the old partitions first? What about all the people who use replace partition in situation other than re-installing like replacing another distro or OS? Also, if you aren't worried about not having a |
Here your experience is greater than mine so I'll defer to you on that one.
True, but... meh. There's only so far one can go. If someone's taking advantage of Calamares' ability to do a "clean install" that keeps user data and applications (which is what this tester oftentimes does), they're probably doing an unencrypted install over an unencrypted install. If the original install was encrypted, Calamares couldn't do a "refresh" operation in this way.
Totally agree here. Thus why I'm making it the difference between encrypted vs. unencrypted.
I guess I could, but it seems like the ability to replace a partition while keeping user data and applications is a use case Calamares explicitly supports, so I don't see why its narrowness should be an issue. (Or perhaps this one tester is doing something other than what I think he's doing and Calamares doesn't support this at all.)
That circles back around to the original problem - /boot has to be separate to allow it to be unencrypted, and in some distros /boot must remain unencrypted for (ironically) security reasons (not to mention that Plymouth has a 10x better disk decryption UI than GRUB does). I explicitly don't mind the creation of extra /boot partitions when doing a replace operation with encryption enabled. It's when encryption is disabled that the extra /boot partition when doing a replace operation is frustrating. In any event, it sounds like this is probably going to have to be a downstream patch, which I'm happy with. |
I'm realizing possibly part of the problem here is that my idea of being able to specify a secondary partition layout is way too complex (taking a look at the code also made that plan look like a bad idea). The ability to enable encryption or not is a binary decision anyway, so... what if I added another option, If ZFS could cause complications with that solution also, it would be helpful to know what it might look like if a problem like that arose, since I may be able to work around those issues if I know what they are. |
Is your feature request related to a problem? Please describe.
Describe the solution you'd like
A checkbox to not encrypt
/boot
with a tooltip that explains the benefits and risksDescribe alternatives you've considered
Having templates for the manual partitioning could also improve it, but would still be not as user friendly as simply a checkbox to tick.
The text was updated successfully, but these errors were encountered: