From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1Rli6O-0003R0-GZ
	for mharc-grub-devel@gnu.org; Fri, 13 Jan 2012 09:27:32 -0500
Received: from eggs.gnu.org ([140.186.70.92]:54430)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Darren.Moffat@Oracle.COM>) id 1Rli6F-0003Km-Om
	for grub-devel@gnu.org; Fri, 13 Jan 2012 09:27:29 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Darren.Moffat@Oracle.COM>) id 1Rli6B-000353-9u
	for grub-devel@gnu.org; Fri, 13 Jan 2012 09:27:23 -0500
Received: from acsinet15.oracle.com ([141.146.126.227]:61778)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Darren.Moffat@Oracle.COM>) id 1Rli6A-00034c-U6
	for grub-devel@gnu.org; Fri, 13 Jan 2012 09:27:19 -0500
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94])
	by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id
	q0DERDEw000380
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Fri, 13 Jan 2012 14:27:14 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156])
	by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	q0DERCXJ025401
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 13 Jan 2012 14:27:13 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55])
	by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id
	q0DERCBI031647; Fri, 13 Jan 2012 08:27:12 -0600
Received: from [10.163.198.80] (/10.163.198.80)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Fri, 13 Jan 2012 06:27:12 -0800
Message-ID: <4F103F3D.3090103@Oracle.COM>
Date: Fri, 13 Jan 2012 14:27:09 +0000
From: Darren J Moffat <Darren.Moffat@Oracle.COM>
Organization: Oracle Solaris Security
User-Agent: Mozilla/5.0 (X11; SunOS i86pc;
	rv:8.0) Gecko/20111202 Thunderbird/8.0
MIME-Version: 1.0
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: ZFS Crypto key hand off to kernel
References: <4F0C2DDE.7070703@Oracle.COM> <4F103D17.4020903@gmail.com>
In-Reply-To: <4F103D17.4020903@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
X-CT-RefId: str=0001.0A090207.4F103F42.0124,ss=1,re=0.000,fgs=0
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by acsinet15.oracle.com id
	q0DERDEw000380
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 1)
X-Received-From: 141.146.126.227
Cc: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?=
	<phcoder@gmail.com>
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 14:27:29 -0000

On 01/13/12 14:17, Vladimir '=CF=86-coder/phcoder' Serbinenko wrote:
>> Is this something that would be of interest for GRUB2 ? If so I'll
>> look at developing the spec update and a patch for GRUB2 to support it
>> for the zfs crypto support.
>>
> That would be most welcome. The main issues are:
> 1) What to consider a key? IMHO it should be the master key, and not
> password or session key.

Agreed, it is really helpful that GRUB2 has already done the PKCS#5 PBE=20
transform in the case of a ZFS encrypted dataset. So there is no need to=20
give the passphrase to the kernel when you can give the real key.

Also it wouldn't actually be useful in the case of ZFS encryption for=20
GRUB2 to hand off the list of actual data encryption keys all we need is=20
the key encryption key (aka master key, aka wrapping key).

> 2) How to match keys to actual devices? I think it should be UUID for
> LUKS and POOLUUID+FSNAME for ZFS, or perhaps just POOLUUD.

I need to brush up on LUKS it has been a while since I looked at it but=20
that sounds correct to me.

For ZFS I think it might be enough to give the dataset name but I like=20
the idea of passing the POOL GUID as well. If I had both I would=20
certainly use them.

> 3) GRUB may have some keys without knowing which pool/fs it's used for.
> They should be marked as such.

I must be missing something here, how could that happen in the ZFS case?=20
Or do you mean in general ?

--=20
Darren J Moffat