From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jmpoure@gooze.eu>
Received: from 64.mail-out.ovh.net (64.mail-out.ovh.net [91.121.185.65])
 by mail.saout.de (Postfix) with SMTP
 for <dm-crypt@saout.de>; Sun,  7 Nov 2010 23:43:14 +0100 (CET)
From: Jean-Michel =?ISO-8859-1?Q?Pour=E9?= - GOOZE <jmpoure@gooze.eu>
In-Reply-To: <AANLkTik93R8OpLXQifUuiT_=V1EpX9jjicbc45a1xeFD@mail.gmail.com>
References: <1288808772.11023.5.camel@acer>
 <20101103223431.GA20934@tansi.org> <1288848713.3936.2.camel@acer>
 <1288964932.31820.3.camel@etppc09.garching.physik.uni-muenchen.de>
 <AANLkTik93R8OpLXQifUuiT_=V1EpX9jjicbc45a1xeFD@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Date: Sat, 06 Nov 2010 19:16:25 +0100
Message-ID: <1289067385.32121.1.camel@acer>
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: Re: [dm-crypt] Feitian PKI donation to dm-crypt projetc
Reply-To: jmpoure@gooze.eu
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

Le vendredi 05 novembre 2010 à 17:29 +0100, Ma Begaj a écrit :
> A script on a encrypted root partition could compare (upon decryption)
> md5
> checksum of initramfs with the saved md5 checksum (with md5sum) and
> show
> alert message if sums do not match. 

When using smartcards, secrets are not displayed. So why should we need
to crypt the initramfs at first stage? We only need to boot in first
stage, non-encrypted, and then request secrets from PKCS#11 and uncrypt
the complete system. 

What do you think?
-- 
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu