Closed b0ch3nski closed 5 years ago
Thank you for the report. I'm not using discard myself but I'll try to find the culprit. Maybe @stuffo who is the author of discard support have any idea?
I can't see the obvious issue here either. Let's wait for the author for a while. We can dig further if need be.
@b0ch3nski can you try if https://github.com/agherzan/yubikey-full-disk-encryption/commit/b8e148a574a27f1a9926051a54de4656cc5bd6de fixed this for you?
I've tried the current code base. With debugging enabled, I can see that cryptsetup luksOpen
is, at least in theory, invoked with --allow-discards
parameter.
Unfortunately, it has no effect - dmsetup table
still doesn't show that discard is enabled.
Just to make sure that nothing has broken in between, I've regenerated initramfs again, with ykfde
hook replaced with encrypt
, rebooted, and then discard is back again. So the problem must be somewhere in YFDE code :cry:
Hm, I switched to the same code that Arch encrypt hook uses. If --allow-discards
is already passed for cryptsetup luksOpen
then I don't know what else we could do.
What type of LUKS container do you use? Is it LUKS2? Did you formatted it with --integrity option?
You may try removing allow-discards
from GRUB_CMDLINE_LINUX
and add it only for YKFDE_LUKS_OPTIONS
in ykfde.conf
.
You may also try booting from external media and open LUKS container through ykfde-open
with YKFDE_LUKS_OPTIONS="--allow-discards"
in ykfde.conf
to see if it works this way.
Simply switching from ykfde
hook to encrypt
enables discard again, without any other changes, so there must be some difference over the code :thinking:
I'm using LUKS1. I've also tried previously forcing it by setting YKFDE_LUKS_OPTIONS="--allow-discards"
- it also has no effect... Booting from another media is quite a lot of work and I might try it in spare time, but I cannot promise when that would be.
When you set YKFDE_LUKS_OPTIONS="--allow-discards"
, did you also remove allow-discards
from GRUB_CMDLINE_LINUX
? If not then try removing it from there.
You may also try creating LUKS container in a file (or unused partition, usb device) for test with ykfde-format
and open it with ykfde-open
with YKFDE_LUKS_OPTIONS="--allow-discards"
in ykfde.conf
.
If nothing works then you may also treat it as a feature as using discard in LUKS is generally recommended against as it leaks data usage patterns :smile:.
I'm not sure if this is going to help you, but the setting to allow discards in /etc/crypttab is simply discard
.
We don't use /etc/crypttab
. We pass --allow-discards
to cryptsetup directly on unlock.
I've solved my issue by converting to LUKS2 and using persistent flags as described in Arch wiki.
The root cause is still unknown, but at least it works now :smiley:
@b0ch3nski it took quite long time but I finally fixed this issue with https://github.com/agherzan/yubikey-full-disk-encryption/commit/50e45b6c219b2acea89760fef4abbae938661262
Here's explanation from commit description:
'allow-discards wasn't working for both automatic reading 'cryptdevice' kernel parameter and 'YKFDE_LUKS_OPTIONS' variable from 'ykfde.conf' due to following reasons:
YKFDE_LUKS_OPTIONS was unconditinally overwritten by 'cryptargs' from 'cryptdevice' kernel parameter even when the latter was empty.
Original 'cryptargs' paramter was initialized with an empty value which resulted with an additional whitespace character before '--allow-discards' which therefore wasn't properly passed to cryptsetup thus was ignored.
This commit fixes both cases.
With YFDE, I cannot get the
discard
to work in any way...According to the documentation, YFDE should read configuration from
cryptdevice
kernel parameter. This works, but not forallow-discards
part.Grub config -
/etc/default/grub
:Following line was enough to enable
discard
without YFDE.So I've tried to force it in
/etc/ykfde.conf
:Regenerated the
initramfs
, rebooted, and still no go. Executingdmsetup table
doesn't show thatdiscard
is supported.