Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptsetup: 1.7.5 -> 2.0.2 #38382

Merged
merged 2 commits into from Jun 18, 2018
Merged

cryptsetup: 1.7.5 -> 2.0.2 #38382

merged 2 commits into from Jun 18, 2018

Conversation

lukateras
Copy link
Member

  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@lukateras
Copy link
Member Author

@GrahamcOfBorg build cryptsetup

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: cryptsetup

Partial log (click to expand)

shrinking /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/integritysetup
shrinking /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/cryptsetup
shrinking /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/cryptsetup-reencrypt
gzipping man pages under /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/share/man/
strip is /nix/store/fzcs0fn6bb04m82frhlb78nc03ny3w55-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/lib  /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin
patching script interpreter paths in /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2
checking for references to /tmp/nix-build-cryptsetup-2.0.2.drv-0 in /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2...
moving /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/* to /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/bin
/nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: cryptsetup

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: cryptsetup

Partial log (click to expand)

shrinking /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/sbin/veritysetup
shrinking /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/sbin/cryptsetup
shrinking /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/lib/libcryptsetup.so.12.2.0
gzipping man pages under /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/share/man/
strip is /nix/store/3zq400fri5dv7d30lpxlqm2v9y1iis6j-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/lib  /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/sbin
patching script interpreter paths in /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2
checking for references to /build in /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2...
moving /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/sbin/* to /nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2/bin
/nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: cryptsetup

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: cryptsetup

Partial log (click to expand)

/nix/store/gmrd9jyzwmkkjpllnmijxkvz0cypx5vw-cryptsetup-2.0.2

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: cryptsetup

Partial log (click to expand)

shrinking /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/veritysetup
shrinking /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/integritysetup
shrinking /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/cryptsetup-reencrypt
gzipping man pages under /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/share/man/
strip is /nix/store/fzcs0fn6bb04m82frhlb78nc03ny3w55-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/lib  /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin
patching script interpreter paths in /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2
checking for references to /build in /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2...
moving /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/sbin/* to /nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2/bin
/nix/store/xkf0pkhypx92mf28qlj38x2c5zmlh6vz-cryptsetup-2.0.2

@jtojnar
Copy link
Contributor

jtojnar commented Apr 3, 2018

I recall there were some patches needed for compatibility but not sure what the package was.

@jtojnar
Copy link
Contributor

jtojnar commented Apr 3, 2018
edited

Oh, right that was https://pagure.io/volume_key/c/ecef526a51c5a276681472fd6df239570c9ce518?branch=master and I am already applying it in #35551

@cript0nauta
Copy link
Contributor

Hi! I tried to use this patch to boot a nixos installed in a a LUKS2 encrypted device, but couldn't make it work. Appearently when running cryptsetup 2 from the initrd image to mount LUKS2 devices doesn't work. I'm not sure if this should be discused here, so ping me if you want more information about the bug.

@mkaito
Copy link
Contributor

mkaito commented Apr 19, 2018

I only use this for LUKS encrypted offline storage on some thumb drives, and this has worked for me for the past 2 weeks perfectly.

@flokli flokli mentioned this pull request Jun 8, 2018
Merged
8 tasks
flokli added a commit to flokli/nixpkgs that referenced this pull request Jun 11, 2018
@flokli
udisks2: 2.1.6 → 2.7.6
41b140c 
supersedes NixOS#35551
closes NixOS#34999

/cc NixOS#38382
@lukateras
Copy link
Member Author

@sh4r3m4n Please tell more about the bug.

@cript0nauta
Copy link
Contributor

@yegortimoshenko: I had to modify the cryptsetup derivation in order to boot from a LUKS2 partition. I had to make two important changes to the pull request patch

  1. Set NIX_LDFLAGS to lgcc_s to prevent a libgcc.so.1 must be installed for pthread_cancel to work error
  2. Use the --disable-kernel_crypto flag because it wasn't available from the initrd image

After this two fixes I was able to boot with LVM inside a LUKS 2 device

Here is my custom version of the cryptsetup derivation:

({ stdenv, fetchurl, devicemapper, json_c, openssl, libuuid, pkgconfig, popt
, enablePython ? false, python2 ? null, ...
}:

assert enablePython -> python2 != null;

stdenv.mkDerivation rec {
  name = "cryptsetup-2.0.2";
  NIX_LDFLAGS = "-lgcc_s";

  src = fetchurl {
    url = "mirror://kernel/linux/utils/cryptsetup/v2.0/${name}.tar.xz";
    sha256 = "15wyjfgcqjf0wy5gxnmjj8aah33csv5v6n1hv9c8sxdzygbhb0ag";
  };

  configureFlags = [ "--enable-cryptsetup-reencrypt" "--with-crypto_backend=openssl" "--disable-kernel_crypto"]
                ++ stdenv.lib.optional enablePython "--enable-python";

  nativeBuildInputs = [ pkgconfig ];
  buildInputs = [ devicemapper json_c openssl libuuid popt ]
             ++ stdenv.lib.optional enablePython python2;

  meta = {
    homepage = https://gitlab.com/cryptsetup/cryptsetup/;
    description = "LUKS for dm-crypt";
    license = stdenv.lib.licenses.gpl2;
    maintainers = with stdenv.lib.maintainers; [ viric chaoflow ];
    platforms = with stdenv.lib.platforms; linux;
  };
}) (import <nixpkgs> {})

@lukateras
Copy link
Member Author

lukateras commented Jun 15, 2018
edited

@sh4r3m4n Thank you a lot!

Hopefully will be able to commit updated cryptsetup to the tree this week.

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: cryptsetup

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: cryptsetup

Partial log (click to expand)

shrinking /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/sbin/veritysetup
shrinking /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/sbin/integritysetup
shrinking /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/sbin/cryptsetup-reencrypt
gzipping man pages under /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/share/man/
strip is /nix/store/4mf2xm9p32lzrim927yk92xhx35yaz62-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/lib  /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/sbin
patching script interpreter paths in /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2
checking for references to /build in /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2...
moving /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/sbin/* to /nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2/bin
/nix/store/8l6lwrli072c86d7aa1pksf4j2dgywp5-cryptsetup-2.0.2

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: cryptsetup

Partial log (click to expand)

shrinking /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/sbin/veritysetup
shrinking /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/sbin/cryptsetup
shrinking /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/lib/libcryptsetup.so.12.2.0
gzipping man pages under /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/share/man/
strip is /nix/store/min150lkigznaayzpwvf8d4jdl1dqvx6-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/lib  /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/sbin
patching script interpreter paths in /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2
checking for references to /build in /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2...
moving /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/sbin/* to /nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2/bin
/nix/store/5bigsk1jcm3a94wcpg19crkpy0ksbmqz-cryptsetup-2.0.2

@jtojnar jtojnar mentioned this pull request Jun 18, 2018
Closed
8 tasks
xeji
xeji reviewed Jun 18, 2018
View reviewed changes
pkgs/os-specific/linux/cryptsetup/default.nix
NIX_LDFLAGS = "-lgcc_s";

configureFlags = [
"--disable-kernel_crypto"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why disable kernel crypto? I tried and cryptsetup builds fine without this flag.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because it doesn't seem to be available in initrd image, see #38382 (comment).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Is this setting likely to hurt performance of the encrypted disks? If yes, it might be better to add the missing module(s) to initrd at some point.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It likely will hurt performance. I agree that adding missing modules to initrd would be preferable.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest to merge this now anyway, observe the effects and optimize later if needed. What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is long overdue, so yes. I've opened #42163 to track this issue.

@lukateras lukateras mentioned this pull request Jun 18, 2018
Closed
@xeji xeji merged commit 590b51c into master Jun 18, 2018
@qolii qolii mentioned this pull request Jun 19, 2018
Merged
8 tasks
@fpletz fpletz deleted the yegortimoshenko-patch-1 branch June 19, 2018 16:30
@peti peti mentioned this pull request Jun 20, 2018
Closed
@peti
Copy link
Member

peti commented Jun 20, 2018

This change broke nixos-rebuild boot because stage-1.nix no longer compiles.

@hlandau hlandau mentioned this pull request Jan 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xeji xeji xeji left review comments

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@lukateras @GrahamcOfBorg @jtojnar @cript0nauta @mkaito @peti @xeji