From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1QDOrs-0004j6-6b for mharc-grub-devel@gnu.org; Fri, 22 Apr 2011 18:30:28 -0400 Received: from eggs.gnu.org ([140.186.70.92]:38574) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QDOrp-0004i8-Vi for grub-devel@gnu.org; Fri, 22 Apr 2011 18:30:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QDOro-0000NT-WC for grub-devel@gnu.org; Fri, 22 Apr 2011 18:30:25 -0400 Received: from mail-ww0-f49.google.com ([74.125.82.49]:59328) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QDOro-0000N1-R0 for grub-devel@gnu.org; Fri, 22 Apr 2011 18:30:24 -0400 Received: by wwb39 with SMTP id 39so812514wwb.30 for ; Fri, 22 Apr 2011 15:30:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:x-enigmail-version:content-type; bh=70ZrMDsV0lP9twsrNkdXR/qxatmkNTFhZ0jMHOpiI1o=; b=Ik5oggoDfcqOkRYyDPRpvnyATSB7zoq/LWBAUoXpHnThmSe5ydN7AokiVYcYRv+iE0 sftpvTl8nlO3y9PiHYIF5VmbSOqyz0XemwsxjBoKebffa7MV+THrAS0ON6x2cRVzRDD4 od+kWAnMkIT50AHDGKIBPPlixa4YbUCBHCagQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; b=nGIsm3JWx3TSdfn9PZ3Q/Z92hUMNPPja6YQDVD83R3qYqj9pXTSOqPb+vhhB2S26oW 5WIQrqU+2ET50E/tfBums2/KifEvb5iOCf9gXhyJWAfPJvjvFMaaB9HDnMiUXa0N8ePN ibCmyofT557w3G0dF40ISe5ziTlB++/zz1B8c= Received: by 10.227.29.27 with SMTP id o27mr1403750wbc.16.1303511423557; Fri, 22 Apr 2011 15:30:23 -0700 (PDT) Received: from debian.x201.phnet (84-89.203-62.cust.bluewin.ch [62.203.89.84]) by mx.google.com with ESMTPS id b20sm1966503wbb.50.2011.04.22.15.30.22 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 22 Apr 2011 15:30:22 -0700 (PDT) Message-ID: <4DB2017D.7080209@gmail.com> Date: Sat, 23 Apr 2011 00:30:21 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110402 Iceowl/1.0b2 Icedove/3.1.9 MIME-Version: 1.0 To: The development of GNU GRUB Subject: Luks inclusion (was Re: GRUB 1.99~rc2 released) References: <4DAEEFA8.2080805@gmail.com> <239CEBDEE83EB949A48B6DB812AA19F602F8246E@ex2.zuv.uni-muenchen.de> In-Reply-To: X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig123671865BBA9C02CE519077" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 74.125.82.49 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2011 22:30:26 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig123671865BBA9C02CE519077 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 21.04.2011 17:29, Craig Sparks wrote: > > When is luks going to be added so we can encrypt the boot partition als= o? > I've cleaned the patch (took a lot of time), not because I believe it's a useful feature but since it has become an often requested one. The branch is available at http://bzr.savannah.gnu.org/r/grub/branches/luks/ . You need to set GRUB_LUKS_ENABLE=3Dy. Beware that: a) Crypto in GRUB is much less performant than in kernel due to inavailability of many accelerated instructions. So prepare for key recovery taking considerable time or decrease key strengthening. b) You'll need to enter passphrase twice. Once for GRUB, once for OS. c) Encrypting doesn't guarantee integrity. Your /boot can be tempered with even if it's encrypted and GRUB has no way of finding it out. Encryption is about secrecy and /boot doesn't contain anything secret. d) core is unencrypted (since BIOS has no encryption support) e) core needs a much bigger embedding zone f) no writing to luks as of now. But even regardless of all that criticism which puts this as low-priority, I'm fed up with feature requests and since unless it's activated manually LUKS in GRUB doesn't kick in, I've done the cleanup. Now you do the tests and report the results back --=20 Regards Vladimir '=CF=86-coder/phcoder' Serbinenko --------------enig123671865BBA9C02CE519077 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREKAAYFAk2yAX0ACgkQNak7dOguQglJOgEAplIEEv2kaAefPTOj0YRQMssb Rp+Fwa1tWL9gHaX/sTEA+wbo80MWaFzDg0CNdNt3LEyrsOkQqAH/UE27TpIl8a7L =Hd2n -----END PGP SIGNATURE----- --------------enig123671865BBA9C02CE519077--