Hi, Jinesh Choksi <jin...@onelittlehope.com> (2023-07-02): > The issue is this block of code: > https://salsa.debian.org/installer-team/partman-crypto/-/blob/master/check.d/crypto_check_mountpoints#L94-102 > > This 17 year old "Check - Is there a /boot partition for encrypted > root?" is no longer valid.
It is. > Grub2 added support for accessing LUKS1 partitions in 2011 - > https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a251b71915e40194d12995dbac9efd787687f988 Sure, that's known, and there were two talks during Mini-DebConfs in 2019 about this and LUKS2 (Marseille, Hamburg). > Grub2 support for LUK2 is also present but only for PBKDF2 keys - > https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755 And since default LUKS2 settings are argon2id (argon2i previously), that means that cannot work. > For people who use LUKS1 to do full disk encryption, this "Check - Is > there a /boot partition for encrypted root?" is a blocker in the > Debian installer. People finding their way to use LUKS1 instead of the default LUKS2 can remove this check on their own. > Dear maintainer(s), please review this bug report and remove this > check. Not until GRUB gets support for argon2i{d,}. And that's where my focus is right now when it comes to d-i vs. LUKS. PoC at https://salsa.debian.org/kibi/grub/-/commits/luks2-argon2-v0 but I have better plans to investigate. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature