From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Lad2zpFa8koi for <dm-crypt@saout.de>;
 Sun, 21 Jul 2013 14:27:22 +0200 (CEST)
Received: from mail-ea0-x22c.google.com (mail-ea0-x22c.google.com
 [IPv6:2a00:1450:4013:c01::22c])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Sun, 21 Jul 2013 14:27:21 +0200 (CEST)
Received: by mail-ea0-f172.google.com with SMTP id q10so3262046eaj.17
 for <dm-crypt@saout.de>; Sun, 21 Jul 2013 05:27:20 -0700 (PDT)
Message-ID: <51EBD3A5.6050509@gmail.com>
Date: Sun, 21 Jul 2013 14:27:17 +0200
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <CACxrqpCg4zP-G0ufRz2rSafqqX1mw=5JjSWw=nfjaQ0QEw-CBQ@mail.gmail.com>
 <51EAEDB4.1090407@gmail.com> <51EB746A.3020600@kadzban.is-a-geek.net>
 <51EBA015.10409@gmail.com> <51EBA35A.8000602@archlinux.org>
In-Reply-To: <51EBA35A.8000602@archlinux.org>
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dm-crypt] ing rootfs without initramfs
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: =?ISO-8859-15?Q?Thomas_B=E4chler?= <thomas@archlinux.org>
Cc: dm-crypt@saout.de, ebelcrom ebelcrom <ebelcrom@googlemail.com>, Bryan Kadzban <bryan@kadzban.is-a-geek.net>

On 07/21/2013 11:01 AM, Thomas B=E4chler wrote:
> Am 21.07.2013 10:47, schrieb Milan Broz:
>> I think using some initramfs is the only solution now for mapping
>> encrypted root fs (for now).
>=20
> I would remove "for now" from your statement. Unlocking the volume from
> kernel code itself requires that the kernel learns how to ask for
> passphrases and/or find key files, do LUKS header processing and accept
> device-mapper parameters in some way.
>=20
> This is very complicated to do in kernel code and adds tons of kernel
> code for tasks that do not belong into the kernel. Such patches will
> never be accepted upstream, since there is a more flexible and less
> error-prone mechanism to solve the problem (it's called "initramfs", if
> you didn't guess it already).

Never say never :)

Imagine you have system which stores keys in something like TPM and
you have "trusted" boot path. I can see that dm-crypt
itself receives key from such hw through kernel keyring directly and
we do not need much userspace interaction.
Basically it needs just some keyid on kernel command line (plus
more metadata info similar to patch I referenced).

That said I almost completely agree with your statement. And LUKS
parsing is completely userspace thing.

Milan