In reply to @emilazy:matrix.org
https://github.com/NixOS/calamares-nixos-extensions/pull/25 says "#21 broke encrypted swap by mishandling the removal of crypto_keyfile.bin. This reverts the original fix. Instead, we leave BIOS the same; that was secure as it was before", I guess this was just a misunderstanding of the vuln? :/

Thanks, I didn't look at the pull request yet.

They also write:

NOTE: This is likely not a completely sufficient solution for users who choose manual partitioning. Mainly, if they create an unencrypted root partition with BIOS boot, it will still insecurely use crypto_keyfile.bin for other partitions that are encrypted.

Since they are specifically writing about unencrypted root partitions only, it seems like they thought it wouldn't be an issue for an encrypted root partiton?

Anyway, I guess this was a misunderstanding about the vulnerability. BIOS setups were definitly affected, the GHSA did specifically say it affects "non-UEFI systems".

In reply to @raitobezarius:matrix.org
but BIOS GRUB users are protected by cryptodisk

the advisory says

Users who installed NixOS through the graphical calamares installer, with an unencrypted /boot, on either:

• non-UEFI systems

In reply to @raitobezarius:matrix.org
but BIOS GRUB users are protected by cryptodisk

In reply to @septem9er:fairydust.space
Could you elaborate on that?

I have a similar setup with an unencrypted /boot and an encrypted /. When I start the OS it just boots all the way to user login not requiring my decryption password at any time.

In reply to @raitobezarius:matrix.org
well /boot is a cryptodisk in that situation so the keys over there are still as protected as before

In reply to @septem9er:fairydust.space
Yeah. The key is an unencryped boot partition, like it was already said.