Bugzilla – Bug 1214218
Installation with custom Luks2 Encryption does not add plymouth-plugin-label-ft
Last modified: 2023-08-14 16:29:05 UTC
When installing Tumbleweed with an encrypted root filesytem, but a seperate unencrypted boot partition, to leverage systemd-cryptenroll, the luks2 unlocking is handled by plymouth. Plymouth asks the user to enter the passphrase, but by default on openSUSE Tumbleweed this is only an input box without any text. You have to manually install plymouth-plugins (I think plymouth-plugin-label-ft) is the correct one, but I installed multiple plugins. After that the user is prompted with additional texts, which comes handy if you enroll tpm2 or fido2 keys that need a short Pin to unlock the Luks2 drive. (Then you can distinguish if you have to enter a pin or passphrase, because it is displayed as text below the input box) Otherwise you will only get a simple input box without any explanation at all. By default the openSUSE TW Installer encrypts the whole root partition without a seperate unencrypted boot partition (fully encrypted). Then the decryption is handled by Grub Stage 1 and you might not be aware that the problem for my usecase exists.
If I understand your request correctly, you would like to get package plymouth-plugin-label-ft automatically installed if you are about to install a LUKS2 encrypted system. You'd prefer that to happen only if there is a separate /boot partition. Correct so far?
Is there any good reason not to simply always install that package if the target system uses encryption?
The way we have been doing that since the advent of libstorage-ng / yast-storage-ng with SLE-15 / Leap 15.0 is that we are checking for storage features that the target system will be using, and those are mapped to support packages for that technology: If using Btrfs, you'll get btrfsprogs. If using ext2/3/4, you'll get e2fsprogs. Etc. https://github.com/yast/yast-storage-ng/blob/master/src/lib/y2storage/storage_feature.rb#L56-L102 This is a 1:1 mapping of storage features to support packages. We are injecting those packages into the libzypp pool of packages that will be installed, and dependencies are resolved automatically. But in your suggestion, there would be more conditions: - Only if the target will be using plymouth; because without plymouth, that plymouth plugin will not work. Or, worse, if we simply add a plymouth plugin, that would require the plymouth base package; which may or may not be desired. - Only if there is a separate unencrypted /boot partition. That would add a whole new level of complications; right now you'll get the support package if the target system will use a certain storage technology. Both conditions would open a whole new can of worms that I think we'd rather avoid.
sudo zypper info --requires plymouth-plugin-label-ft > Information for package plymouth-plugin-label-ft: > ------------------------------------------------- > Repository : Main Repository > Name : plymouth-plugin-label-ft > Version : 0.9.5~git20210406.e554475-150400.3.8.1 > Arch : x86_64 > Vendor : SUSE LLC <https://www.suse.com/> > Installed Size : 10.3 KiB > Installed : No > Status : not installed > Source package : plymouth-0.9.5~git20210406.e554475-150400.3.8.1.src > Upstream URL : https://www.freedesktop.org/wiki/Software/Plymouth > Summary : Plymouth FreeType label plugin > Description : > This package contains the label control plugin for > Plymouth. It provides the ability to render text on > graphical boot splashes using FreeType > Requires : [5] > libc.so.6(GLIBC_2.4)(64bit) > libfreetype.so.6()(64bit) > fontconfig > libply-splash-core.so.5()(64bit) > libply-splash-graphics5 = 0.9.5~git20210406.e554475 It would make sense that plymouth can only render fonts correctly if that package is installed. But with just 10.3 KiB installed size and not too many dependencies, I wonder why it isn't installed by default if the plymouth base package is installed.
Created attachment 868788 [details] Screenshot: QDirStat showing all installed plymouth packages Screenshot of qdirstat pkg:/plymouth On my Leap 15.5, I already got 9 plymouth packages installed with 996.5 kB installed size total. Adding plymouth-plugin-label-ft in the YaST software manager only adds that one package; I seem to have all dependencies installed already. % rpm -qa "*plymouth*" | sort > plymouth-0.9.5~git20210406.e554475-150400.3.8.1.x86_64 > plymouth-branding-openSUSE-15.5.20220322-lp155.3.7.noarch > plymouth-dracut-0.9.5~git20210406.e554475-150400.3.8.1.noarch > plymouth-lang-0.9.5~git20210406.e554475-150400.3.8.1.noarch > plymouth-plugin-label-0.9.5~git20210406.e554475-150400.3.8.1.x86_64 > plymouth-plugin-two-step-0.9.5~git20210406.e554475-150400.3.8.1.x86_64 > plymouth-scripts-0.9.5~git20210406.e554475-150400.3.8.1.noarch > plymouth-theme-bgrt-0.9.5~git20210406.e554475-150400.3.8.1.noarch > plymouth-theme-spinner-0.9.5~git20210406.e554475-150400.3.8.1.noarch
AFAICS it would be easy enough for the maintainers of the plymouth package to add a "suggests" dependency that adds plymouth-plugin-label-ft if package "cryptsetup" (for LUKS / LUKS2 support) is installed. Reassigning to the maintainers of that package. % osc maintainer -e plymouth Defined in package: Base:System/plymouth bugowner of plymouth : qzhao@suse.com maintainer of plymouth : qzhao@suse.com Defined in project: Base:System bugowner of plymouth : - maintainer of plymouth : dmueller@suse.com, meissner@suse.com, ro@suse.de, aj@suse.com, seife@novell.slipkontur.de, trenn@suse.com, werner@suse.com, daniel@molkentin.de, - Defined in project: Base bugowner of plymouth : - maintainer of plymouth : adrian.schroeter@suse.com, jblunck@novell.com, rguenther@suse.com
To clarify further: I guess that plymouth cannot display labels using freetype fonts without that plugin; which normally doesn't matter, unless you get a password prompt when suddenly it matters a lot because you can't read what the prompt requests of you.
(In reply to Stefan Hundhammer from comment #1) > If I understand your request correctly, you would like to get package > plymouth-plugin-label-ft automatically installed if you are about to install > a LUKS2 encrypted system. > > You'd prefer that to happen only if there is a separate /boot partition. > > Correct so far? I also didn't get his request even after I read the comment0 several times. I guess maybe Stefan is correct. Thank you so much Stefan for the deep research. But still need the bug reporter to accurately expect and reproduce steps. Thanks!
How do you install with custom Luks2 Encryption? Only with encrypted root filesytem, but a seperate unencrypted boot partition. With no other additional steps or setup, right?
Sorry if I was unclear, but you basically figured out my intentions. You could of course always add the package if the user selects encryption during installation and uses plymouth. I don´t know if you need it when encrypting the default way, without a seperate boot partition though. I manually format drives for my installation. An efi partition, a uncrypted ext4 boot partition and an encrypted partition with lvm for the rest. If you encrypt the whole system without a seperate boot partition, decryption is normally handled by grub, if I recall correctly. As I said I am not to sure which plugin exactly is needed, but think it is the freetype plugin. Those are the packages I currently have installed. plymouth plymouth-branding-openSUSE plymouth-dracut plymouth-lang plymouth-plugin-label plymouth-plugin-label-ft plymouth-plugin-script plymouth-plugin-two-step plymouth-scripts plymouth-theme-bgrt plymouth-theme-script plymouth-theme-spinner The last plugin I installed was plymouth-plugin-label-ft. Then I got the desired functionality. On other distros this works out of the box if you encrypt your system during installation, but those distros usually are using a seperate boot partition by default.