Nixpkgs: [20.09, regression] LUKS2 password not accepted on boot
Describe the bug
I am running NixOS 20.03 with a LVM-on-LUKS setup (unencrypted boot).
After switching channel to 20.09 and rebuilding, my password is no longer accepted at boot.
When I select the last 20.03 generation from GRUB, the password is accepted and the system boots fine.
To Reproduce
Steps to reproduce the behavior:
- Make 20.03-setup as above
- Switch to 20.09
- reboot
Expected behavior
Cryptsetup accepts password at boot and booting continues.
Additional context
I searched through release notes, issues and PRs, but found nothing related to my problem.
Notify maintainers
Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.
- system: `"x86_64-linux"`
- host os: `Linux 5.4.72, NixOS, 20.03.3191.504f993df9a (Markhor)`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.3.6`
- channels(root): `"nixos-20.09.1599.d105075a1fd, mypkgs, nur, unstable-21.03pre250162.34ad166a830"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
> nix run unstable.cryptsetup -c sudo -i cryptsetup luksDump /dev/sdb2
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: chacha20-random
sector: 512 [bytes]
integrity: poly1305
Keyslots:
0: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 613056
Threads: 4
Salt: XX .. XX
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: nnnnnn
Salt: XX .. XX
Digest: XX .. XX
Maintainer information:
# a list of nixpkgs attributes affected by the problem
attribute: cryptsetup
# a list of nixos modules affected by the problem
module:
wamserma
All 5 comments
Do you set boot.initrd.luks.cryptoModules manually? If so try not setting it
dasJ
on 3 Nov 2020
Do you set
boot.initrd.luks.cryptoModulesmanually? If so try not setting it
I do and unsetting didn't solve it.
wamserma
on 4 Nov 2020
Solved! I had
boot.initrd.luks.devices.enc-pv-disk.allowDiscards = true;
in my config.
Maybe related to this:
https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.2-ReleaseNotes
... this option cannot be used for LUKS2 authenticated encryption (that uses dm-integrity for storing additional per-sector metadata).
At least there was a waning about DISCARD/TRIM not being usable after entering the password, thou I didn't relate this to the issue at first.
wamserma
on 4 Nov 2020
@wamserma 20.09 should be on cryptsetup 2.3.3, master is on 2.3.4.
The default kernel on 20.09 is still 5.4.x, but these release notes are about dm-integrity.
Can you copy-paste the exact error message here you get shown? That might help seeing what broke here.
I'd also be curious about the kernel you're using, and whether switcihing to linux_latest works this around.
flokli
on 4 Nov 2020
@flokli Kernel: 5.4.73 #1-NixOS SMP Thu Oct 29 08:58:11 UTC 2020 x86_64 GNU/Linux (No customization.)
In stage 1 I get the prompt Passphrase for [...]:, then after entering the passphrase:
Verifying passphrase for [...].
..Discard/TRIM is not supported.
- failure
Passphrase for [...]:
If I disable Discard/Trim in my configuration, the fist message after Verifying is sth. like starting device mapper.
wamserma
on 4 Nov 2020
Related issues
vaibhavsagar
路
3Comments
rzetterberg
路
3Comments
sid-kap
路
3Comments
spacekitteh
路
3Comments
lverns
路
3Comments