From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1RlhxN-0005mQ-85 for mharc-grub-devel@gnu.org; Fri, 13 Jan 2012 09:18:13 -0500 Received: from eggs.gnu.org ([140.186.70.92]:48137) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RlhxK-0005iP-5v for grub-devel@gnu.org; Fri, 13 Jan 2012 09:18:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RlhxG-0001On-47 for grub-devel@gnu.org; Fri, 13 Jan 2012 09:18:10 -0500 Received: from mail-ww0-f49.google.com ([74.125.82.49]:45934) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RlhxF-0001Og-U3 for grub-devel@gnu.org; Fri, 13 Jan 2012 09:18:06 -0500 Received: by wgbdt13 with SMTP id dt13so2796289wgb.30 for ; Fri, 13 Jan 2012 06:18:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=YwqwE2khy21n9nPPg2y+O7LcYjJNPa8sY7YF3ueDvog=; b=TRegBbBPqNK82xAKXaL2Bfzyu/deyIR2Da62UuT9mdmbjc1mMeCodvjLoqV9rh81U/ MnQLCEMH6fozlNcZTaKgvu4pLX10wT9mETw1qpfPODl66Dj1ErrDGPpmx1hJbCEnsW5I tVdfqir06VkHbrhZ4hUsqPqJIt+fG7s9n8ThE= Received: by 10.180.88.10 with SMTP id bc10mr2226481wib.13.1326464285105; Fri, 13 Jan 2012 06:18:05 -0800 (PST) Received: from debian.x201.phnet (49-234.197-178.cust.bluewin.ch. [178.197.234.49]) by mx.google.com with ESMTPS id gy6sm4105634wib.11.2012.01.13.06.18.02 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 13 Jan 2012 06:18:03 -0800 (PST) Message-ID: <4F103D17.4020903@gmail.com> Date: Fri, 13 Jan 2012 15:17:59 +0100 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0 MIME-Version: 1.0 To: grub-devel@gnu.org Subject: Re: ZFS Crypto key hand off to kernel References: <4F0C2DDE.7070703@Oracle.COM> In-Reply-To: <4F0C2DDE.7070703@Oracle.COM> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 74.125.82.49 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 14:18:11 -0000 On 10.01.2012 13:23, Darren J Moffat wrote: > I've been testing the ZFS Crypto support in GRUB2 with Solaris 11 and > found it works great - many thanks! > > The 'zfskey' command works very nicely, however the key is only > available to grub and isn't handed off to the kernel that GRUB2 starts > up. > > I'm considering an extension to the multiboot2 spec to provide a > mechanism to hand off the key from GRUB2 to the running kernel. > > I would like for this not to be specific to the ZFS crypto support but > to be usable for LUKS and other systems that allow for an encrypted > root/boot where both GRUB2 and the kernel need the same key. > > Is this something that would be of interest for GRUB2 ? If so I'll > look at developing the spec update and a patch for GRUB2 to support it > for the zfs crypto support. > That would be most welcome. The main issues are: 1) What to consider a key? IMHO it should be the master key, and not password or session key. 2) How to match keys to actual devices? I think it should be UUID for LUKS and POOLUUID+FSNAME for ZFS, or perhaps just POOLUUD. 3) GRUB may have some keys without knowing which pool/fs it's used for. They should be marked as such. -- Regards Vladimir 'φ-coder/phcoder' Serbinenko