http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Bug ID: 1166005 Summary: 20s to unlock fully encrypted partition Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: axel.braun@gmx.de QA Contact: jsrain@suse.com Found By: --- Blocker: ---
I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi).
When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears. X1E:/home/test # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT nvme0n1 259:0 0 953,9G 0 disk ├─nvme0n1p1 259:1 0 500M 0 part /boot/efi ├─nvme0n1p2 259:2 0 937G 0 part │ └─cr_root 254:0 0 937G 0 crypt / └─nvme0n1p3 259:3 0 16,4G 0 part [SWAP]
linux:/home/test # cryptsetup luksDump /dev/nvme0n1p2 LUKS header information for /dev/nvme0n1p2
Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK digest: c3 b3 b9 a1 4b cd 08 8d 93 47 59 be f1 b8 f3 24 5f ae 81 75 MK salt: 8b 87 eb c4 bd 43 4e af 57 ef eb 9f 3c 38 a9 8a f4 c5 63 2f 1b f6 98 1a 49 62 36 e0 9e 12 8a db MK iterations: 153840 UUID: 720864c9-f8ed-405e-9a17-ccfa1d2f347b
Key Slot 0: ENABLED Iterations: 1229280 Salt: 5f 9b 38 6b 29 b4 2e b0 80 35 c5 bd 88 9f 77 61 29 6c 34 00 54 3c af a5 5a d4 f6 15 7e e4 8d c4 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
It is an i7-9750H machine, so CPU power should not be an issue...
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c1
--- Comment #1 from Axel Braun axel.braun@gmx.de --- I have to prepare the Laptop for production use, and need to change the setup due to this bug. This will happen next weekend. Please let me know by 14.03.2020 if you need additional information for this case! Thanks!
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c2
--- Comment #2 from Axel Braun axel.braun@gmx.de --- Is systemd-boot maybe a solution for this (as I was advised on the thinkpad -linux mailing list)? Anyone familiar how to set it up?
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Jiri Srain jsrain@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsrain@suse.com |mchang@suse.com
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c3
Benjamin Greiner code@bnavigator.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |code@bnavigator.de
--- Comment #3 from Benjamin Greiner code@bnavigator.de --- The problem is, that full disk encryption as provided by the TW installer also means encrypting /boot. The LUKS implementation of GRUB is really slow.
https://www.reddit.com/r/archlinux/comments/6ahvnk/grub_decryption_really_sl...
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c4
Neil Rickert nwr10cst-oslnx@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com
--- Comment #4 from Neil Rickert nwr10cst-oslnx@yahoo.com ---
Is systemd-boot maybe a solution for this
I don't think so. You can install it with "bootctl", and there is probably a man page for that on your system. But I think it only sets up a framework that you have to maintain. So whenever there's a kernel update, you would have to update the boot configuration for systemd-boot.
Note that systemd-boot avoids the problem you are having, because the kernel and "initrd" are copied into the EFI partition. But you could also avoid your problem by just copying kernel, "initrd" and "grub.cfg" into the EFI partition yourself. You would run into the same problem, that after a kernel update you would have to reconfigure booting.
Another alternative is to use a separately unencrypted "/boot". I do that (it requires using the expert partitioner during install). But then I am using "ext4". The problem when using "btrfs", is that if you do a rollback to an earlier snapshot, that rolls back the kernel modules but does not rollback the kernel. So a separate "/boot" is not recommended with "btrfs".
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c5
--- Comment #5 from Michael Chang mchang@suse.com --- As Neil has pointed out, the systemd-boot couldn't boot anything beyond firmware. The framework (ie the systemd boot loader specification) mandates a shared $boot partition must be VFAT formatted so that UEFI firmware can access it, certainly without any encryption too.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Vojtech Zeisek Vojtech.Zeisek@opensuse.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |Vojtech.Zeisek@opensuse.org
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c6
--- Comment #6 from Vojtech Zeisek Vojtech.Zeisek@opensuse.org --- I have on three systems encrypted LVM containing whole root and swap, so the only unencrypted part is /boot/efi. The CPUs are Intel Atom x5-Z8350 [1], Intel Core™ i5-6300U [2] and AMD Ryzen 9 3900X [3]. They considerably do differ in their performances, but interestingly, on all three machines the decryption takes 20 seconds. :-) All systems have SSD disks.
[1] https://ark.intel.com/content/www/us/en/ark/products/93361/intel-atom-x5-z83... [2] https://ark.intel.com/content/www/us/en/ark/products/88190/intel-core-i5-630... [3] https://www.amd.com/en/products/cpu/amd-ryzen-9-3900x
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c7
--- Comment #7 from Axel Braun axel.braun@gmx.de --- (In reply to Vojtech Zeisek from comment #6)
I have on three systems encrypted LVM containing whole root and swap, so the only unencrypted part is /boot/efi. The CPUs are Intel Atom x5-Z8350 [1], Intel Core™ i5-6300U [2] and AMD Ryzen 9 3900X [3]. They considerably do differ in their performances, but interestingly, on all three machines the decryption takes 20 seconds. :-) All systems have SSD disks.
Sounds like a conceptual problem in grub. I have re-partitioned the Laptop with only /home encrypted, and now everything is fine.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Ignacio Taranto itaranto7@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |itaranto7@gmail.com
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Ignacio Taranto ignacio_taranto@protonmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|itaranto7@gmail.com |
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005 http://bugzilla.opensuse.org/show_bug.cgi?id=1166005#c9
Dirk Weber d_werner@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |d_werner@gmx.net
--- Comment #9 from Dirk Weber d_werner@gmx.net --- Just to cross reference this issue to bug 1184069 which seems very similar and contains some further analysis and links.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166005
Martin Jambor mjambor@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mjambor@suse.com
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com