Re: [PATCH] 90crypt: keys on external devices support

["Amadeusz Żołnowski" <aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 3241 bytes --]

Excerpts from Mr Dash Four's message of Wed Oct 20 16:44:31 +0200 2010:
> > Examples:
> >   rd.luks.key=/some/file.key:LABEL=cool_keys:UUID=00aabc
> >   rd.luks.key=/some/file.key::UUID=00aabc
> >   rd.luks.key=/some/file.key:LABEL=cool_keys
> >   rd.luks.key=/some/file.key
> >
> > And probably I'll introduce this scheme in patches I'm improving
> > recently.  Does it satisfy you? :-)  And for token it would be:
> >
> >   rd.luks.token=…
> >
> > Might be?
> >   
> I'll be happy if you reverse the order and add a file system type as
> well - it makes it more consistent with the Fedora Kickstart format,
> otherwise is a bit confusing.

"rd.luks.key=::/some/file.key" is much more confusing.  I bet that some
user will curse us when he forget about double colon.  I think that
required parameters should be first and less useful last.  It's all
Dracut wonder that it doesn't require many parameters.

When you're mounting device are you always specifying "-t fs_type"? :-)
Disk is mounted readonly, so even if mount performs wrong guess, nothing
bad happens.  This is rare case.  Although maybe we can add it… :-) Then
it would be:

  rd.luks.key=<key_path>:<key_dev>:<key_dev_fs>:<luks_dev>


> >> I've looked through the dependencies and the package scripts though
> >> there are, among other things, udev rules and config files, which
> >> could complicate matters. Following this I have another query: Does
> >> dracut have (at least read) access to the /boot partition where the
> >> initramfs image is?
> >>     
> >
> > No, no.  You don't need access to /boot.  You put everything in
> > initramfs using installation functions provided by
> > 'dracut-functions'.  See 'install' and 'check' scripts in some
> > module's directory.
> >   
> 
> That could spell trouble as for just running pkcs11-tool that requires
> 2 configuration files which reflect the specific token type and
> various parameters. Although 90% of all cases fall into the 'default'
> mode scenario there are the rest 10% which do not and have to be
> properly catered for.
> 
> The parameters and attributes in these files are complex and cannot be
> specified in the kernel command line in grub.conf. If these 2
> configuration files are embedded into initrd they cannot be changed,
> which means that initrd has to be custom-built for each client
> configuration which makes this whole exercise largely impractical.
> 
> The other possible scenario, as I already mentioned, is to use
> configuration files which are outside initrd (separate device or
> located in /boot are two possible alternatives)

Maybe 10% can embed the file? :-)  Well you maybe can specify additional
config same way as key for luks is specified.  Maybe it would make sense
to have such a general feature to grab files during runtime from
removable devices?

But would be cool if you get idea how to do it without extra configs
from outside.  Maybe it's possible to perform some settings guesses on
run-time?


> One other query related to this: if I want to use crypttab for my root
> (/) partition how is that handled by dracut?

Password support only for now, but I'm gonna extended it.
-- 
Amadeusz Żołnowski

PGP key fpr: C700 CEDE 0C18 212E 49DA  4653 F013 4531 E1DB FAB5

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]