Re: [dm-crypt] cryptsetup Yubikey challenge-response support

[Arno Wagner <arno@wagner.name>]

On Tue, Apr 14, 2020 at 13:35:21 CEST, Milan Broz wrote:
> On 11/04/2020 21:56, Arno Wagner wrote:
> > On Sat, Apr 11, 2020 at 18:09:46 CEST, Milan Broz wrote:
> >> On 11/04/2020 16:49, JT Moree wrote:
> >>> Arno is working on updating the docs for new features of luks2.
> >>
> >> Arno did not add anything to FAQ in this regard for the last two+ years (the last
> >> contribution was in 2017, I do not count last week change for "LUKS2 is not
> >> covered" FAQ commit.
> >> The FAQ is really obsolete now, and we have to update it or remove it
> >> from distribution soon.
> >> (Many people already complained through various channels.)
> > 
> > Well, many people complained and exactly zero did any work
> > or offered any work. Also, zero did complain to me (except 
> > for the comments on the list here). These two details make 
> > me very unconcerned about their complaints.
> 
> Arno, please do not take this as a personal thing.

Ok, I will not.

> There are several issues in tracker about FAQ, some distributions
> already have quite nice own LUKS2 doc (Arch Linux for example).
> So we should update it, even it is incomplete, it is better
> than to not touch it at all.

Arch has it? Good. I will look at it as soon as I find time.
I am currently more busy than usual due to some things 
happening at my emplpoyer. The Arch doc would at least be an 
item for the references.
 
> Also, external contributors should have easy way hot to update
> FAQ (see my other reply about wiki; merge request are not problematic).

Ok.

> > This is, at the moment, the LUKS 1 FAQ (and that was really
> > what the commit from last week was about), and as that it does 
> > not need removing. It also covers quite a bit of stuff that is 
> > not LUKS 1 specific and some stuff that is not even LUKS specific.
> > So unless you are positive nobody uses LUKS 1 anymore, and the 
> > not LUKS 1 specific stuff is irrelevant, removing it would really 
> > be the wrong approach.
> 
> Yes, LUKS1 is there and will be there.
> 
> But what I really tried from the beginning - a normal user
> should not care about version.

Well, the FAQ goes deep into details in some places and then
you need to know. For somebody just doing the standard 
scenario and not having any specific issues, I agree, the 
version should not matter.

> (For example that keyslot checker use API, so it should work
> with LUKS2 etc. Just the offsets of keyslot will not be fixed.)
> 
> And it works this way, people complained mainly about memory 
> requirements for Argon KDF (and that is a feature, not a bug :-)

I see an FAQ item upcomming on that ;-)

> > If you want to start a LUKS 2 FAQ, be my guest. But be aware 
> > that such a thing is a _lot_ of work before it is anywhere 
> > near completion. That you do not have complete design 
> > documentation for LUKS 2 (as far as I can tell) makes it 
> > even harder. Maybe you write that documentation and as soon
> > as it is complete, I will go into the FAQ and start updating.
> 
> One LUKS FAQ is enough for anyone :)

Ok, I think that is settled then.

> What is missing in LUKS2 doc that you need for this work to start?
> It is metadata on-disk format, nothing more.

Ok, then I will start with that. 

It is an FAQ fter all, so it is request driven. Anything missing, 
people using it should complain about. Is the issue-tracker still 
the best source to find all requets and complaints? If not, can 
you update it with the issue people have run into with the 
current FAQ in a way to I can find them?
 
> And for the FAQ complexity - I am FAQ co-author since
> the cryptsetup 1.0.7 (2009) release so I know how longterm work it is.
> That's why it a little bit irritates me that we did not updated
> it yet (I just fixed obsolete links there).

One reason is perhaps that most things with LUKS2 did not involve 
me. Being an external contributor has the advantace of a separate 
perspective, but also the disadvantage that I am distant from 
what is going on and ofthen late to find out. That is fine,
after all, we can talk things over and I know now that some
work is needed.

Regards,
Arno


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier