[Bug 1184069] New: GRUB on a crypted partition takes > 10 seconds to unlock the filesystem
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069 Bug ID: 1184069 Summary: GRUB on a crypted partition takes > 10 seconds to unlock the filesystem Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: p.heinlein@heinlein-support.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I installed 15.2 plain vanilla on a Thinkpad X1.Extreme Gen.3 with a ~2 TB NVME and I set a crypto disc password during installation (in YaST). Grub needs > 10 seconds to unlock the key, so booting is very slow. It's very similar to https://unix.stackexchange.com/questions/369414/grub-takes-too-long-to-unloc... https://bbs.archlinux.org/viewtopic.php?id=228865 so I also think, that the crypto or number of iterations is way to expensive here and needs too much time. Maybe the SUSE team should/could look for a similar safe, but faster method (SHA256?) here? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c1
Andreas Stieger
so I also think, that the crypto or number of iterations is way to expensive here and needs too much time. Maybe the SUSE team should/could look for a similar safe, but faster method (SHA256?) here?
What is the number of iterations configured (cryptsetup luksDump)? How many keyslots are active? The number of iterations is determined during installation by cryptsetup and is calibrated to take about 1000ms. When the disk moves or the system configuration changes this no longer matches up. On the running system when creating a volume, which value does luksFormat choose?
Maybe the SUSE team should/could look for a similar safe, but faster method (SHA256?) here?
For key derivation, fast hashes are insecure. You want slow hashes here. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c2
--- Comment #2 from Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069 http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c3 --- Comment #3 from Peer Heinlein
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c4
--- Comment #4 from Andreas Stieger
Iterations: 4104014
That seems excessive by about a factor of 4. Which kind of matches your 10s observation over the target 2s. Can you give the output of cryptsetup benchmark on this system, the PKDF2 lines? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069 http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c5 --- Comment #5 from Peer Heinlein
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c6
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c7
Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c8
--- Comment #8 from Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c9
--- Comment #9 from Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c10
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c11
--- Comment #11 from Klaus Mueller
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c12
--- Comment #12 from Andreas Stieger
Here it takes 22s to get the key on a Ryzen 7 1700X CPU. This is 21s more than it should take!
It is true that the key strengthening function is tuned to take about 1000ms for a single run to generate the key from the passphrase. The underlying problem is that the single-threaded performance for this operation has diverged so much from the running system to grub, so that strengthening parameters picked will make it run slower in grub. You can use different parameters, it is not fundamentally less secure. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c13
--- Comment #13 from Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069#c14
--- Comment #14 from Klaus Mueller
It is true that the key strengthening function is tuned to take about 1000ms for a single run to generate the key from the passphrase. The underlying problem is that the single-threaded performance for this operation has diverged so much from the running system to grub, so that strengthening parameters picked will make it run slower in grub.
This means: grub should urgently implement multi threaded operations to cope with the system capabilities. It's usual since years to parallelize work.
You can use different parameters, it is not fundamentally less secure.
The high number of iterations compensates for the poor entropy of probably most passphrases / passwords in the wild. That's how I understood it so far. Therefore it would be fatal to reduce the number of iterations to derive the key. If you have a big enough key initially derived from /dev/(u)random, it's surly possible to massively reduce the amount of iterations without reducing security at all most probably. Unfortunately, my passphrases don't reach this high entropy. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1184069
Martin Jambor
participants (1)
-
bugzilla_noreply@suse.com