From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Tu2o4YrzvsQf for <dm-crypt@saout.de>;
 Wed, 24 Aug 2011 09:51:11 +0200 (CEST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Wed, 24 Aug 2011 09:51:10 +0200 (CEST)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
 (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
 by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p7O7p9xA032257
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
 for <dm-crypt@saout.de>; Wed, 24 Aug 2011 03:51:09 -0400
Received: from [10.36.7.99] (vpn1-7-99.ams2.redhat.com [10.36.7.99])
 by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 p7O7p7LY007875
 for <dm-crypt@saout.de>; Wed, 24 Aug 2011 03:51:08 -0400
Message-ID: <4E54AD6B.3070300@redhat.com>
Date: Wed, 24 Aug 2011 09:51:07 +0200
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <4E536F5E.7020003@gmail.com> <20110823130508.GB21623@tansi.org>
In-Reply-To: <20110823130508.GB21623@tansi.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] unlocking dm-crypt from grub - kernel in crypted
	volume
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 08/23/2011 03:05 PM, Arno Wagner wrote:
> 
> Quite frankly, I doubt this increses security significantly.

>> For example passing the password in a safe way from grub to the kernel

IMHO without full implementation of "trusted boot" this will
just add some small amount of work for attacker without
real security increase.
And with "trusted boot" (whatever it means) grub loader integrity
should be verified before you enter passphrase.

In fact, it is just few instruction to add to grub module
to store entered passphrase somewhere on disk, CMOS, flash,
whatever is available for later use by attacker.
(Just another variation to "Evil maid" attack.)

Anyway, LUKS implementation in GRUB2 is completely independent
from upstream, so you can ask on grub devel list - they did not
tried to contact upstream if there is possibility
to share some code, so it contains full LUKS reimplementation
(but it is good for other reasons, though).

For kernel dm-crypt - I really do not want here things
like "encrypted passphrase" or similar concepts.
(Until some certification process forces me:-)

But I would like to add here concept of "passphrase handle"
IOW userspace will just hand over handle (id)
to some other subsystem where the key is stored
(Could be kernel keyring, some token, whatever).

Milan