[Bug 1166005] New: 20s to unlock fully encrypted partition

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Bug ID: 1166005 Summary: 20s to unlock fully encrypted partition Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: axel.braun@gmx.de QA Contact: jsrain@suse.com Found By: --- Blocker: --- I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears. X1E:/home/test # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT nvme0n1 259:0 0 953,9G 0 disk ├─nvme0n1p1 259:1 0 500M 0 part /boot/efi ├─nvme0n1p2 259:2 0 937G 0 part │ └─cr_root 254:0 0 937G 0 crypt / └─nvme0n1p3 259:3 0 16,4G 0 part [SWAP] linux:/home/test # cryptsetup luksDump /dev/nvme0n1p2 LUKS header information for /dev/nvme0n1p2 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK digest: c3 b3 b9 a1 4b cd 08 8d 93 47 59 be f1 b8 f3 24 5f ae 81 75 MK salt: 8b 87 eb c4 bd 43 4e af 57 ef eb 9f 3c 38 a9 8a f4 c5 63 2f 1b f6 98 1a 49 62 36 e0 9e 12 8a db MK iterations: 153840 UUID: 720864c9-f8ed-405e-9a17-ccfa1d2f347b Key Slot 0: ENABLED Iterations: 1229280 Salt: 5f 9b 38 6b 29 b4 2e b0 80 35 c5 bd 88 9f 77 61 29 6c 34 00 54 3c af a5 5a d4 f6 15 7e e4 8d c4 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED It is an i7-9750H machine, so CPU power should not be an issue... -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c1 --- Comment #1 from Axel Braun <axel.braun@gmx.de> --- I have to prepare the Laptop for production use, and need to change the setup due to this bug. This will happen next weekend. Please let me know by 14.03.2020 if you need additional information for this case! Thanks! -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c2 --- Comment #2 from Axel Braun <axel.braun@gmx.de> --- Is systemd-boot maybe a solution for this (as I was advised on the thinkpad -linux mailing list)? Anyone familiar how to set it up? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Jiri Srain <jsrain@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsrain@suse.com |mchang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c3 Benjamin Greiner <code@bnavigator.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |code@bnavigator.de --- Comment #3 from Benjamin Greiner <code@bnavigator.de> --- The problem is, that full disk encryption as provided by the TW installer also means encrypting /boot. The LUKS implementation of GRUB is really slow. https://www.reddit.com/r/archlinux/comments/6ahvnk/grub_decryption_really_sl... -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c4 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com --- Comment #4 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
Is systemd-boot maybe a solution for this
I don't think so. You can install it with "bootctl", and there is probably a man page for that on your system. But I think it only sets up a framework that you have to maintain. So whenever there's a kernel update, you would have to update the boot configuration for systemd-boot. Note that systemd-boot avoids the problem you are having, because the kernel and "initrd" are copied into the EFI partition. But you could also avoid your problem by just copying kernel, "initrd" and "grub.cfg" into the EFI partition yourself. You would run into the same problem, that after a kernel update you would have to reconfigure booting. Another alternative is to use a separately unencrypted "/boot". I do that (it requires using the expert partitioner during install). But then I am using "ext4". The problem when using "btrfs", is that if you do a rollback to an earlier snapshot, that rolls back the kernel modules but does not rollback the kernel. So a separate "/boot" is not recommended with "btrfs". -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c5 --- Comment #5 from Michael Chang <mchang@suse.com> --- As Neil has pointed out, the systemd-boot couldn't boot anything beyond firmware. The framework (ie the systemd boot loader specification) mandates a shared $boot partition must be VFAT formatted so that UEFI firmware can access it, certainly without any encryption too. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Vojtech Zeisek <Vojtech.Zeisek@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Vojtech.Zeisek@opensuse.org -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c6 --- Comment #6 from Vojtech Zeisek <Vojtech.Zeisek@opensuse.org> --- I have on three systems encrypted LVM containing whole root and swap, so the only unencrypted part is /boot/efi. The CPUs are Intel Atom x5-Z8350 [1], Intel Core™ i5-6300U [2] and AMD Ryzen 9 3900X [3]. They considerably do differ in their performances, but interestingly, on all three machines the decryption takes 20 seconds. :-) All systems have SSD disks. [1] https://ark.intel.com/content/www/us/en/ark/products/93361/intel-atom-x5-z83... [2] https://ark.intel.com/content/www/us/en/ark/products/88190/intel-core-i5-630... [3] https://www.amd.com/en/products/cpu/amd-ryzen-9-3900x -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c7 --- Comment #7 from Axel Braun <axel.braun@gmx.de> --- (In reply to Vojtech Zeisek from comment #6)
I have on three systems encrypted LVM containing whole root and swap, so the only unencrypted part is /boot/efi. The CPUs are Intel Atom x5-Z8350 [1], Intel Core™ i5-6300U [2] and AMD Ryzen 9 3900X [3]. They considerably do differ in their performances, but interestingly, on all three machines the decryption takes 20 seconds. :-) All systems have SSD disks.
Sounds like a conceptual problem in grub. I have re-partitioned the Laptop with only /home encrypted, and now everything is fine. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Ignacio Taranto <itaranto7@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |itaranto7@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Ignacio Taranto <ignacio_taranto@protonmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|itaranto7@gmail.com | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c9 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |d_werner@gmx.net --- Comment #9 from Dirk Weber <d_werner@gmx.net> --- Just to cross reference this issue to bug 1184069 which seems very similar and contains some further analysis and links. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 Martin Jambor <mjambor@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mjambor@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com