Bug#1033678: installation-reports: Unbootable install: MBR partition unusable with UEFI

[Steve McIntyre]

On Thu, Mar 30, 2023 at 09:12:05AM -0700, Dima Kogan wrote:
>Pascal Hambourg  writes:
>
>> On 30/03/2023 at 01:21, Dima Kogan wrote:
>>> I had to turn off
>>> secure-boot and UEFI in the BIOS.
>>
>> Why ? What happens if UEFI boot is enabled ?
>
>If UEFI was enabled, the USB device isn't seen by the machine in its
>list of valid boot devices

Ugh, that sounds like a *particularly* crappy firmware bug then :-(
What boot options does the firmware list in that case?

Hmm, checking: 

https://www.dell.com/support/manuals/en-uk/latitude-14-5420-laptop/lati_5420_om/uefi-bios?guid=guid-892bb204-aa23-43e3-aa1f-0c2b66c0ddc3&lang=en-us

the "Important Information" section looks like it might be relevant?

>> How did you prepare the USB drive ? What installation image did you
>> use (full file name and URL please) ?
>
>>From yesterday's email:
>
>  I downloaded this:
>
>debian-bookworm-DI-alpha2-amd64-netinst.iso
>
>  from here:
>
>https://cdimage.debian.org/cdimage/bookworm_di_alpha2/amd64/iso-cd/
>
>  and I wrote that .iso to /dev/sde
>
>I did "cp debian-bookworm-DI-alpha2-amd64-netinst.iso /dev/sde"

OK, that all sounds fine.

>>> I'm not 100% sure of the exact cause. But I suspect strongly is that
>>> booting the install media without UEFI broke installing to an UEFI-only
>>> disk.
>>
>> If the installer was booted in BIOS/legacy mode, it installed GRUB for
>> legacy boot.
>
>Was this a choice the installer made, or was it the only option? I don't
>actually have a workaround yet. And if the installer had a check box to
>ask for a GPT even though the install media was booted without UEFI,
>then I could at least get this working after some fiddling.

This *might* help you:

 * partman:

   If the system is booted in EFI mode, partman defaults to GPT for
   disk partitioning. If not, it will default to MSDOS.

   In partman, hitting  on the raw disk will allow you to
   create a new blank partition table; this will take thd default type
   normally, and you won't be asked.

   *If* you switch to expert mode from the main menu (i.e. drop
   question priority), then go back into partman, you can choose to
   use a different partition type. By all means try GPT here, and
   create an EFI system partition (ESP) too.

 * grub-installer:

   This depends on the system being booted in EFI mode to do the right
   thing. If you're not, you *might* be able to make things work by
   editing the script /usr/bin/grub-installer and replace the line
   ARCH="$(archdetect)" with ARCH="amd64/efi". I've not tested this,
   but you *might* be able to progress here.

The installer is *very* much designed to only set up EFI-relevant
stuff if you're booted in EFI mode.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
Google-bait:   https://www.debian.org/CD/free-linux-cd
  Debian does NOT ship free CDs. Please do NOT contact the mailing
  lists asking us to send them to you.

Bug#1033737: flash-kernel: Unable to run flash-kernel on EFI-based systems

[Isaac True]

Package: flash-kernel
Version: 3.106
Severity: normal
File: flash-kernel
X-Debbugs-Cc: isaac@is.having.coffee

Dear Maintainer,

As part of our CI/CD system, we are building images for target devices.
The images are set up in virtual machines which boot using EFI, but
flash-kernel installation always fails as it detects that the system is
running in EFI by checking for the existence of /sys/firmware/efi. 

Being able to setup the image on these VMs is an important part of our
testing and validation workflow, so it would be very helpful to have an
option to skip this check and proceed regardless of whether the system
is currently running in EFI mode or not. 

I've added a debdiff for a proposal for a new parameter --force-efi
which can be set to skip this check.

---

diff -Nru flash-kernel-3.106/debian/changelog 
flash-kernel-3.106+nmu1/debian/changelog
--- flash-kernel-3.106/debian/changelog 2022-04-22 23:55:41.0 +
+++ flash-kernel-3.106+nmu1/debian/changelog2023-03-31 13:04:23.0 
+
@@ -1,3 +1,10 @@
+flash-kernel (3.106+nmu1) UNRELEASED; urgency=medium
+
+  * Skip EFI detection mechanism when the --force-efi option
+has been set.
+
+ -- Isaac True   Fri, 31 Mar 2023 13:04:23 +
+
 flash-kernel (3.106) unstable; urgency=medium

   * db/all.db: Move MNT Reform 2 boards later to fix sort order.
diff -Nru flash-kernel-3.106/flash-kernel.8 
flash-kernel-3.106+nmu1/flash-kernel.8
--- flash-kernel-3.106/flash-kernel.8   2022-03-23 14:22:28.0 +
+++ flash-kernel-3.106+nmu1/flash-kernel.8  2023-03-31 13:04:23.0 
+
@@ -3,7 +3,7 @@
 .SH NAME
 flash-kernel \- put kernel and initramfs in boot location
 .SH SYNOPSIS
-.B flash-kernel [--supported] [--force] [kvers]
+.B flash-kernel [--supported] [--force] [--force-efi] [kvers]
 .SH DESCRIPTION
 flash-kernel is a script which will put the kernel and initramfs in
 the boot location of embedded devices that don't load the kernel and
@@ -25,6 +25,11 @@
 match. Valid filenames for images to flash are suffixed with the
 subarchitecture.
 .P
+Normally, flash\-\-kernel will abort the installation if it detects that
+it is running in an EFI-based environment. If the \-\-force\-efi option
+is used, flash\-kernel will skip this check and continue with the
+installation.
+.P
 If the \-\-supported option is used, flash\-kernel will test to see if
 the hardware is supported, and return a true or false value.
 .SH ENVIRONMENT VARIABLES
diff -Nru flash-kernel-3.106/functions flash-kernel-3.106+nmu1/functions
--- flash-kernel-3.106/functions2022-04-12 19:43:15.0 +
+++ flash-kernel-3.106+nmu1/functions   2023-03-31 13:04:23.0 +
@@ -679,6 +679,11 @@
force="yes"
shift
 fi
+force_efi="no"
+if [ "x$1" = "x--force-efi" ]; then
+   force_efi="yes"
+   shift
+fi
 if [ "x$1" = "x--machine" ]; then
machine="$2"
shift 2
@@ -789,9 +794,10 @@
kfile=$(readlink -e "$kfile")
 fi

-if [ -d /sys/firmware/efi ]; then
+if [ -d /sys/firmware/efi ] && [ "x$force_efi" != "xyes" ]; then
# skipping when detect EFI
echo "System running in EFI mode, skipping."
+   echo "Use --force-efi if you want to skip this check."
exit 0
 fi

Bug#1033737: flash-kernel: Unable to run flash-kernel on EFI-based systems

[Isaac True]

Alternatively, this could be an environment variable to allow flash-kernel to 
run non-interactively on an EFI system (such as when installing/updating with 
apt, or after updating the initrd).

---

diff -Nru flash-kernel-3.106/debian/changelog 
flash-kernel-3.106+nmu1/debian/changelog
--- flash-kernel-3.106/debian/changelog 2022-04-22 23:55:41.0 +
+++ flash-kernel-3.106+nmu1/debian/changelog2023-03-31 14:28:23.0 
+
@@ -1,3 +1,10 @@
+flash-kernel (3.106+nmu1) UNRELEASED; urgency=medium
+
+  * Skip EFI detection mechanism when the FK_FORCE_EFI environment
+variable is set to "yes".
+
+ -- Isaac True   Fri, 31 Mar 2023 14:28:23 +
+
 flash-kernel (3.106) unstable; urgency=medium

   * db/all.db: Move MNT Reform 2 boards later to fix sort order.
diff -Nru flash-kernel-3.106/flash-kernel.8 
flash-kernel-3.106+nmu1/flash-kernel.8
--- flash-kernel-3.106/flash-kernel.8   2022-03-23 14:22:28.0 +
+++ flash-kernel-3.106+nmu1/flash-kernel.8  2023-03-31 14:28:11.0 
+
@@ -40,6 +40,10 @@
 .B choice of machine may cause host filesystem partitions to be mounted and
 .B modified.

+.IP FK_FORCE_EFI
+Skip EFI detection when this variable is set to `yes'. Normally, flash-kernel
+will abort if it detects that the system is running in EFI mode.
+
 .SH FILES
 .TP
 .B /usr/share/flash-kernel/db/all.db
diff -Nru flash-kernel-3.106/functions flash-kernel-3.106+nmu1/functions
--- flash-kernel-3.106/functions2022-04-12 19:43:15.0 +
+++ flash-kernel-3.106+nmu1/functions   2023-03-31 14:28:23.0 +
@@ -789,7 +789,7 @@
kfile=$(readlink -e "$kfile")
 fi

-if [ -d /sys/firmware/efi ]; then
+if [ -d /sys/firmware/efi ] && [ "x$FK_FORCE_EFI" != "xyes" ]; then
# skipping when detect EFI
echo "System running in EFI mode, skipping."
exit 0

Bug#1033193: marked as done (debian-installer help screen: url to doc page)

[Debian Bug Tracking System]

Your message dated Fri, 31 Mar 2023 22:19:11 +
with message-id 
and subject line Bug#1033193: fixed in debian-installer 20230401
has caused the Debian Bug report #1033193,
regarding debian-installer help screen: url to doc page
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033193: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debian-installer
Severity: wishlist

On the F2 help page, we currently have

...

See the Installation Guide or the FAQ for more information; both
documents are available at the Debian web site, http://www.debian.org/


Please mention the exact URL where to find the installation-guide
and Debian FAQ docs (http://www.debian.org/doc/).
The current (new) layout of the webpage has no link to the doc section,
as it was in the past (in the footer).
Thus, for people being new to Debian it might not be intuitive, to find
that documents. Diving into the deep of the webpage might not be what
beginners do.
http://www.debian.org/doc/ however has links to those both documents 
prominently visible at the top.

I seem to remember, that there was already a similar request some years 
ago, but I don't find it in the archive.
>From memory, I think there were arguments like "There's a link pointing
to documentatio in the footer, that should be enough" but that's no longer
true since the overhaul of the wegpage.
Thus this request.

If we strictly want the top level URL listed, it could be added separately
in a paragraph like 

"Visit http://www.debian.org for general information about the Debian project
and its operating system."

(The F2 help page has enough free room for such additional paragraph.)


(Oh, I just saw there is another mention of the installation-guide and FAQ on
F9 help, with the same generic debian.org URL. Could change that as well.)


Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076
--- End Message ---
--- Begin Message ---
Source: debian-installer
Source-Version: 20230401
Done: Cyril Brulebois 

We believe that the bug you reported is fixed in the latest version of
debian-installer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois  (supplier of updated debian-installer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 31 Mar 2023 23:11:45 +0200
Source: debian-installer
Architecture: source
Version: 20230401
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Cyril Brulebois 
Closes: 1033193
Changes:
 debian-installer (20230401) unstable; urgency=medium
 .
   [ Cyril Brulebois ]
   * Bump Linux kernel ABI to 6.1.0-7.
   * Add pigz to Build-Depends.
   * Replace `gzip -n` with `pigz -nm` in various places (keeping other
 flags like -9, -v, -f):
  - build/Makefile
  - build/config/*.cfg (x86 and arm* only)
  - build/util/gen-hd-image
  - build/util/gen-tarball
   * Update translation-status for the release.
 .
   [ Samuel Thibault ]
   * build/boot/x86/f2.txt: Update minimum disk size for installation.
   * build/pkg-lists/{cdrom/grub/gtk/arm64.cfg,netboot/gtk/arm64.cfg}: Enable
 sound modules and speakup on arm64 gtk images.
   * build/boot/x86/f[29].txt: Make documentation link more precise.
 Closes: #1033193.
Checksums-Sha1:
 254b10e5e05b9e94eb6ee5f18e7993d45d6a86d8 3871 debian-installer_20230401.dsc
 3f6f77b683e47e11fd2762dc56bce4054a55e74a 27468644 
debian-installer_20230401.tar.gz
 02541aeeb7d75b55b01e7b9f203cc23d75367706 12679 
debian-installer_20230401_source.buildinfo
Checksums-Sha256:
 ca972adfe587b34544ba8ec4322903403db8b25243c25fc1c098223942ceb40a 3871 
debian-installer_20230401.dsc
 070700575e27c12ea4cebb9ec098858654a388391ef476a6fba5498c7a6107ab 27468644 
debian-installer_20230401.tar.gz
 34fbe68a95fef47a16d2dd8b69eef89e941637110b53dfa8172ae50bc4adc4b3 12679 
debian-installer_20230401_source.buildinfo
Files:
 048809c2f920741a54a569144cb3ac68 3871 devel optional 
debian-instal

Processing of debian-installer_20230401_source.changes

[Debian FTP Masters]

debian-installer_20230401_source.changes uploaded successfully to localhost
along with the files:
  debian-installer_20230401.dsc
  debian-installer_20230401.tar.gz
  debian-installer_20230401_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

debian-installer_20230401_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 31 Mar 2023 23:11:45 +0200
Source: debian-installer
Architecture: source
Version: 20230401
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Cyril Brulebois 
Closes: 1033193
Changes:
 debian-installer (20230401) unstable; urgency=medium
 .
   [ Cyril Brulebois ]
   * Bump Linux kernel ABI to 6.1.0-7.
   * Add pigz to Build-Depends.
   * Replace `gzip -n` with `pigz -nm` in various places (keeping other
 flags like -9, -v, -f):
  - build/Makefile
  - build/config/*.cfg (x86 and arm* only)
  - build/util/gen-hd-image
  - build/util/gen-tarball
   * Update translation-status for the release.
 .
   [ Samuel Thibault ]
   * build/boot/x86/f2.txt: Update minimum disk size for installation.
   * build/pkg-lists/{cdrom/grub/gtk/arm64.cfg,netboot/gtk/arm64.cfg}: Enable
 sound modules and speakup on arm64 gtk images.
   * build/boot/x86/f[29].txt: Make documentation link more precise.
 Closes: #1033193.
Checksums-Sha1:
 254b10e5e05b9e94eb6ee5f18e7993d45d6a86d8 3871 debian-installer_20230401.dsc
 3f6f77b683e47e11fd2762dc56bce4054a55e74a 27468644 
debian-installer_20230401.tar.gz
 02541aeeb7d75b55b01e7b9f203cc23d75367706 12679 
debian-installer_20230401_source.buildinfo
Checksums-Sha256:
 ca972adfe587b34544ba8ec4322903403db8b25243c25fc1c098223942ceb40a 3871 
debian-installer_20230401.dsc
 070700575e27c12ea4cebb9ec098858654a388391ef476a6fba5498c7a6107ab 27468644 
debian-installer_20230401.tar.gz
 34fbe68a95fef47a16d2dd8b69eef89e941637110b53dfa8172ae50bc4adc4b3 12679 
debian-installer_20230401_source.buildinfo
Files:
 048809c2f920741a54a569144cb3ac68 3871 devel optional 
debian-installer_20230401.dsc
 24e1d530c3688107d29a64fed46e1d9f 27468644 devel optional 
debian-installer_20230401.tar.gz
 421c0ce840ab427ac404f88a92c2a7fc 12679 devel optional 
debian-installer_20230401_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJEBAEBCgAuFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmQnWTMQHGtpYmlAZGVi
aWFuLm9yZwAKCRD/kUrwwrNVICZeD/oCSapcdWlv9V3GnuPuD7AZeNfmxSz8Xw/i
RbOtG/CI/F/yVBsHBiB/AUd3Jk5oHEdTmiJDlUtEt5wLJ1w1iYHK6mcBSIeXTzUV
aq99V5xMFQ25N0VLKjDiC3AWFSI46SWtr0mOWgXj3ehvXrJCagMFiR3ZcvUJgR//
WfgxJtwf3tCPKHCYxRq4d0RVej3Q7avuTbvqyWXDDvNyo85SgKXKd6jhzRfRKKMP
wnDSbyQktu1RIk02gQl1ZX8FaVwxAdftsoqI4BkVRW81rysVAmIsLGJc3aDRv4DF
6Myt/9RTtUA+4HYMqnNTZ+PCJaCws/CO4air0J9x2e4MmEbfIjq9+Tmql2l/Zu8D
IDkYPzgaer+Yi5Wi6IEpRNWR8KjxwH6tpLGihCwEXLqQJSotIDlmh3BbEhyvyVlr
PFUrzj4yKzWfcobSJTMhtlXdsTpg1dx/1m2a4xJ4xSSb8j+JabTlZw22myOHSHBq
+GtK4OvW4+HYhZe6rjazetu0CsI5RZpikHzJzqT+TXUZf7LQrr3kvrnzWF4XdOOh
MaQZrDLO/WPgfSBOvTqbGBYH8Z5A/X2g6RKw0lrEXanGhRQgwySQ8buZA4Jm7Tse
7wjQA+d5IGMxKKBfCaf0GgamfDt4y+Hs0e3+aTbNHUVbPQW4Ou3An7r+IcQIZ4Jx
MvddvHL3mg==
=oB2u
-END PGP SIGNATURE-

Bug#1028250: debian-installer: broken cryptsetup support

[Cyril Brulebois]

Hi again,

Cyril Brulebois  (2023-03-26):
> I'm happy to have the patches included, and I can definitely live with
> possible temporary regressions (should that happen) that might arise
> from having them.

Pre-upload testing shows that the situation seems unchanged with
2:2.6.1-3~deb12u1: encrypted LVM still OOMK's with otherwise default
options in the installer, when the VM is started with `kvm -m 1G`;
that's fine with `kvm -m 1.2G` so at least it didn't seem to regress
from the previous d-i release, and I've decided to continue d-i preps
accordingly.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1033678: installation-reports: Unbootable install: MBR partition unusable with UEFI

[Dima Kogan]

Hi all. Thanks for the replies. I was just able to get it installed. And
here are some notes about what happened, and about how we can do better.

I got it running by using a friend's usb installer. HIS usb disk was a
valid UEFI boot disk, so I could boot in UEFI mode, and do the normal
install, which completed successfully.

As stated earlier, I made my USB install disk like this:

>  I downloaded this:
>
>debian-bookworm-DI-alpha2-amd64-netinst.iso
>
>  from here:
>
>https://cdimage.debian.org/cdimage/bookworm_di_alpha2/amd64/iso-cd/
>
>  and I wrote that .iso to /dev/sde
>
>cp debian-bookworm-DI-alpha2-amd64-netinst.iso /dev/sde

This worked, but apparently this was not a valid UEFI thing. Which I
didn't know. Maybe some clearer instructions on the website would help.
I was here:

  https://www.debian.org/devel/debian-installer/

Clicking on "amd64" under "other images (netboot, USB stick, etc.)"
gives me listings of files that I don't know what to do with. I ended up
getting the "CD" image, which gave me an .iso file that I did know what
to do with. The iso-cd page:

  https://cdimage.debian.org/cdimage/bookworm_di_alpha2/amd64/iso-cd/

has some quick instructions which maybe would be helpful for those that
don't know what to do with an .iso. It does mention UEFI, but only when
describing the "mac" image. So better UEFI notes on the iso-cd page. And
any kind of notes on the USB page would be good.


Next. Steve McIntyre suggested installing in "expert mode", and then
explicitly creating a GPT partition table. This worked, but I didn't
read his suggestion closely enough, and didn't add an ESP partition.
Because I didn't know anything about it. The installer allowed me to do
that, and once again, created an unbootable installation. Should the
installer have yelled at me? Just because I was in "expert mode" doesn't
mean I know what I'm doing :)

I guess that's it. In the default path where the installer just picks
the partition kind (MBR, GPT, ) I don't think it ever said anything
about that being a choice at all. If it at least had text somewhere
about creating an "MBR", or something, that would probably be good.

Thanks.

Bug#1033678: installation-reports: Unbootable install: MBR partition unusable with UEFI

[Pascal Hambourg]

Hello,

Le 01/04/2023 at 00:41, Dima Kogan wrote:


I got it running by using a friend's usb installer. HIS usb disk was a
valid UEFI boot disk, so I could boot in UEFI mode, and do the normal
install, which completed successfully.


How was this "usb installer" created ?


cp debian-bookworm-DI-alpha2-amd64-netinst.iso /dev/sde


This worked, but apparently this was not a valid UEFI thing.


It is bootable in EFI mode on all UEFI PCs I tested.


Next. Steve McIntyre suggested installing in "expert mode", and then
explicitly creating a GPT partition table. This worked, but I didn't
read his suggestion closely enough, and didn't add an ESP partition.


Anyway the installer partitioner (partman) would not allow to create an 
EFI system partition when booted in BIOS/legacy mode, and the boot 
loader installer (grub-installer) would not allow to install GRUB for 
EFI boot (even though some UEFI firmware accept to boot from a regular 
FAT partition, or you may create an EFI partition with fdisk-udeb or 
parted-udeb in an installer shell, and you may install grub-efi-amd64 
with apt-install in an installer shell).

Bug#1028250: debian-installer: broken cryptsetup support

[Guilhem Moulin]

Hi kibi,

On Sat, 01 Apr 2023 at 00:36:35 +0200, Cyril Brulebois wrote:
> Cyril Brulebois  (2023-03-26):
>> I'm happy to have the patches included, and I can definitely live with
>> possible temporary regressions (should that happen) that might arise
>> from having them.
>
> Pre-upload testing shows that the situation seems unchanged with
> 2:2.6.1-3~deb12u1: encrypted LVM still OOMK's with otherwise default
> options in the installer, when the VM is started with `kvm -m 1G`;
> that's fine with `kvm -m 1.2G` so at least it didn't seem to regress
> from the previous d-i release, and I've decided to continue d-i preps
> accordingly.

Ah right, reopened the upstream issue but forgot to follow-up here :-(
https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1328592911

As I wrote in the upstream BTS the patch appears to be incomplete,
AFAICT it helps in the PBKDF benchmark but just like you I also noticed
it still sometimes fails while running the keyslot key derivation.
Unfortunately I only found that out *after* uploading ~deb12u1…  It was
premature to think one could remove the errata from the bookworm d-i,
but at least I'm quite confident that does not make the OOMK issue
worse: it solves it at early stage but but it sometimes still trigger
later.

From a user perspective, I guess it's best to stick to the errata for
now (at least for the graphical installer; in text mode 1G RAM appear to
be enough according to my tests).  Depending on what upstream comes up
with we might suggest to fix that via s-p-u later.

Thanks to you, elbrus, an other Release Team members for everything!
-- 
Guilhem.


signature.asc
Description: PGP signature

Please dak copy-installer 20230401

[Cyril Brulebois]

Hi,

FTP team, please sync the installer from sid to testing, as it seems to
be Installed for all release architectures (9 total):

  dak copy-installer 20230401


Release team: FYI, I've unblocked and urgented it.


Thanks for your time.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#788227: marked as done (add 512 bit key-size for AES (XTS-AES))

[Debian Bug Tracking System]

Your message dated Sat, 1 Apr 2023 02:22:45 +0200
with message-id 
and subject line add 512 bit key-size for AES (XTS-AES)
has caused the Debian Bug report #788227,
regarding add 512 bit key-size for AES (XTS-AES)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
788227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788227
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: partman-crypto
Version: 82

This report is to request (with patch) allowing 512 bit key-size when 
using XTS-AES for disk encryption (via the xts-aes-plain64 cipher). 
This started as a query to the mailing list (which seems useless, by the 
way) which is CC'd.


--

On 05/26/2015 02:09 PM, Nathan Schulte wrote:

As it stands, it appears the installer requires you to create a
partition table on the Encrypted Volumes and does not allow using the
entire device alone.  I believe this feature was available in the past,
though I could be mis-recalling.  Either way, I was able to do this in
the past and I'm pretty sure I haven't forgotten anything about what I
did.


After much trial and error, I was able to get this working with a rather 
simple procedure:


partman (or the step just prior) will detect and list open LUKS devices 
if setup (manually) before entering the wizard.  The display is a bit 
misleading, as partman shows the encrypted volumes as having a single 
partition, but in this mode it does not create a partition table as you 
would have to do should you choose to use the partman wizard to create 
the encrypted volumes.



On a related note, I believe the partman-crypto part of the partitioner
should allow for selecting 512 bit key sizes, as the default cipher
(aes-xts-plain64) effectively halves the chosen key size.  This ought to
be a straight-forward patch.


This is an extremely simple patch, which is attached.  The comment is of 
interest, however:



add 512 bit key-size for AES (XTS-AES)

the aes-xts-plain64 cipher effectively halves the chosen keysize due to
keysplitting used in the algorithm.  Thus, choosing a 256 bit key-size
does not lead to AES 256 encryption but AES 128 instead.

There's probably a better way to convey this to the user, as they'll need
to be vigilant in order to make use of this.  As well, it may be wise to
default to 256 bit key-size in the UI, and I believe this change will
cause the default selection to be 512.


--
Nate
>From 5af2b9ccc99a8f1cf3be62ff3faea37f2785a480 Mon Sep 17 00:00:00 2001
From: Nathan Schulte 
Date: Tue, 9 Jun 2015 09:46:53 -0500
Subject: [PATCH] add 512 bit key-size for AES (XTS-AES)

the aes-xts-plain64 cipher effectively halves the chosen keysize due to
keysplitting used in the algorithm.  Thus, choosing a 256 bit key-size
does not lead to AES 256 encryption but AES 128 instead.

There's probably a better way to convey this to the user, as they'll need
to be vigilant in order to make use of this.  As well, it may be wise to
default to 256 bit key-size in the UI, and I believe this change will
cause the default selection to be 512.
---
 ciphers/dm-crypt/aes/keysize | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ciphers/dm-crypt/aes/keysize b/ciphers/dm-crypt/aes/keysize
index ab43da4..be82d8d 100644
--- a/ciphers/dm-crypt/aes/keysize
+++ b/ciphers/dm-crypt/aes/keysize
@@ -1 +1 @@
-256 192 128
+512 256 192 128
-- 
2.1.4

--- End Message ---
--- Begin Message ---
Hi,


The debian installer (since buster) automatically doubles the selected
key size when XTS mode is selected.

So selecting 256 key and XTS means it will end using a 512 key

This matches what cryptsetup does by default

From
https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/bookworm/docs/v2.1.0-ReleaseNotes#L39
* Cryptsetup now doubles LUKS default key size if XTS mode is used
  (XTS mode uses two internal keys). This does not apply if key size
  is explicitly specified on the command line and it does not apply
  for the plain mode.
  This fixes a confusion with AES and 256bit key in XTS mode where
  code used AES128 and not AES256 as often expected.


More details:
https://salsa.debian.org/installer-team/partman-crypto/-/merge_requests/6--- End Message ---