GRUB_CRYPTODISK_ENABLE undocumented

GRUB_CRYPTODISK_ENABLE undocumented

[Andrey Borzenkov]

Is it intentional? I hit it when testing grub on encrypted partition.
When no, I'll submit a patch.

Re: GRUB_CRYPTODISK_ENABLE undocumented

[Michael Chang]

Hi Andrey,

2013/3/29 Andrey Borzenkov <arvidjaar@gmail.com>:
> Is it intentional? I hit it when testing grub on encrypted partition.
> When no, I'll submit a patch.

Do you have any progress on this? Besides document it, IMHO why not we
consider to remove it or make it default enable to receive more
testing from downstream ? Is there any consequence to enable it or
because it's not officially supported yet?

Even if it's immature, more testing is welcome to get all bugs sorted
and resolved.

Thanks,
Michael

>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: GRUB_CRYPTODISK_ENABLE undocumented

[Michael Chang]

Hi Andrey,

2013/3/29 Andrey Borzenkov <arvidjaar@gmail.com>:
> Is it intentional? I hit it when testing grub on encrypted partition.
> When no, I'll submit a patch.

Do you have any progress on this? Besides document it, IMHO why not we
consider to remove it or make it default enable to receive more
testing from downstream ? Is there any consequence to enable it or
because it's not officially supported yet?

Even if it's immature, more testing is welcome to get all bugs sorted
and resolved.

Thanks,
Michael

>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: GRUB_CRYPTODISK_ENABLE undocumented

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

On 28.08.2013 09:05, Michael Chang wrote:
> Hi Andrey,
> 
> 2013/3/29 Andrey Borzenkov <arvidjaar@gmail.com>:
>> Is it intentional? I hit it when testing grub on encrypted partition.
>> When no, I'll submit a patch.
> 
> Do you have any progress on this? Besides document it, IMHO why not we
> consider to remove it or make it default enable to receive more
> testing from downstream ? Is there any consequence to enable it or
> because it's not officially supported yet?
> 
This option authorizes GRUB to ask user for password and wait until the
password is supplied which can break unattended and remote boot. Think
of theme in /usr. With the option disabled GRUB would simply skip theme
and boot successfully. But with this option enabled it will wait for
password until user supplies it or presses ESC.
> Even if it's immature, more testing is welcome to get all bugs sorted
> and resolved.
> 
> Thanks,
> Michael
> 
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]

Re: GRUB_CRYPTODISK_ENABLE undocumented

[Michael Chang]

On Wed, Aug 28, 2013 at 04:51:00PM +0200, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> On 28.08.2013 09:05, Michael Chang wrote:
> > Hi Andrey,
> > 
> > 2013/3/29 Andrey Borzenkov <arvidjaar@gmail.com>:
> >> Is it intentional? I hit it when testing grub on encrypted partition.
> >> When no, I'll submit a patch.
> > 
> > Do you have any progress on this? Besides document it, IMHO why not we
> > consider to remove it or make it default enable to receive more
> > testing from downstream ? Is there any consequence to enable it or
> > because it's not officially supported yet?
> > 
> This option authorizes GRUB to ask user for password and wait until the
> password is supplied which can break unattended and remote boot. Think
> of theme in /usr. With the option disabled GRUB would simply skip theme
> and boot successfully. But with this option enabled it will wait for
> password until user supplies it or presses ESC.

In this case we shouldn't blame GRUB to interrupt the boot, instead
it's why the policy been made to place theme file in /usr (which's
supposed be encrypted) and expecting it to work on unattended or
remote boot.

As long as GRUB offers the option to on or off it (OK we don't remove
it as we know it's required now), it's the system setup program's
responsibity to make sure that the correct option is set for his setup
to work as intended. I do really hope that the default can be changed
for the reason that I have supplied.

Thanks,
Michael

> > Even if it's immature, more testing is welcome to get all bugs sorted
> > and resolved.
> > 
> > Thanks,
> > Michael
> > 
> >>
> >> _______________________________________________
> >> Grub-devel mailing list
> >> Grub-devel@gnu.org
> >> https://lists.gnu.org/mailman/listinfo/grub-devel
> >>
> > 
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> > 
> 
> 



> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel


-- 
Michael Chang
Software Engineer
Rm. B, 26F, No.216, Tun Hwa S. Rd., Sec.2
Taipei 106, Taiwan, R.O.C
+886223760030
mchang@suse.com
SUSE

Re: GRUB_CRYPTODISK_ENABLE undocumented

[Andrey Borzenkov]

В Wed, 28 Aug 2013 15:04:44 +0800
Michael Chang <mchang@suse.com> пишет:

> Hi Andrey,
> 
> 2013/3/29 Andrey Borzenkov <arvidjaar@gmail.com>:
> > Is it intentional? I hit it when testing grub on encrypted partition.
> > When no, I'll submit a patch.
> 
> Do you have any progress on this? Besides document it, IMHO why not we
> consider to remove it or make it default enable to receive more
> testing from downstream ? Is there any consequence to enable it or
> because it's not officially supported yet?
> 
> Even if it's immature, more testing is welcome to get all bugs sorted
> and resolved.
> 

Well, I'm not sure which progress can be. I do not have any preference
whether it should be default or not, I just think it should be
documented.

Vladimir, is it OK?

From: Andrey Borzenkov <arvidjaar@gmail.com>
To: grub-devel@gnu.org
Subject: [PATCH] document GRUB_ENABLE_CRYPTODISK configuration option

Signed-off-by: Andrey Borzenkov <arvidjaar@gmail.com>

---
 docs/grub.texi | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/grub.texi b/docs/grub.texi
index 574f602..9903a36 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -1354,6 +1354,12 @@ Normally, @command{grub-mkconfig} will try to use the external
 systems installed on the same system and generate appropriate menu entries
 for them.  Set this option to @samp{true} to disable this.
 
+@item GRUB_ENABLE_CRYPTODISK
+If set to @samp{y}, @command{grub-mkconfig} and @command{grub-install} will
+check for encrypted disks and generate additional commands needed to access
+them during boot.  Note that in this case unattended boot is not possible
+because GRUB will wait for passphrase to unlock encrypted container.
+
 @item GRUB_INIT_TUNE
 Play a tune on the speaker when GRUB starts.  This is particularly useful
 for users unable to see the screen.  The value of this option is passed
-- 
tg: (321e011..) u/crypto_eable (depends on: master)

Re: GRUB_CRYPTODISK_ENABLE undocumented

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2074 bytes --]

On 24.09.2013 12:39, Andrey Borzenkov wrote:
> В Wed, 28 Aug 2013 15:04:44 +0800
> Michael Chang <mchang@suse.com> пишет:
> 
>> Hi Andrey,
>>
>> 2013/3/29 Andrey Borzenkov <arvidjaar@gmail.com>:
>>> Is it intentional? I hit it when testing grub on encrypted partition.
>>> When no, I'll submit a patch.
>>
>> Do you have any progress on this? Besides document it, IMHO why not we
>> consider to remove it or make it default enable to receive more
>> testing from downstream ? Is there any consequence to enable it or
>> because it's not officially supported yet?
>>
>> Even if it's immature, more testing is welcome to get all bugs sorted
>> and resolved.
>>
> 
> Well, I'm not sure which progress can be. I do not have any preference
> whether it should be default or not, I just think it should be
> documented.
> 
> Vladimir, is it OK?
> 
Go ahead.
> From: Andrey Borzenkov <arvidjaar@gmail.com>
> To: grub-devel@gnu.org
> Subject: [PATCH] document GRUB_ENABLE_CRYPTODISK configuration option
> 
> Signed-off-by: Andrey Borzenkov <arvidjaar@gmail.com>
> 
> ---
>  docs/grub.texi | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 574f602..9903a36 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -1354,6 +1354,12 @@ Normally, @command{grub-mkconfig} will try to use the external
>  systems installed on the same system and generate appropriate menu entries
>  for them.  Set this option to @samp{true} to disable this.
>  
> +@item GRUB_ENABLE_CRYPTODISK
> +If set to @samp{y}, @command{grub-mkconfig} and @command{grub-install} will
> +check for encrypted disks and generate additional commands needed to access
> +them during boot.  Note that in this case unattended boot is not possible
> +because GRUB will wait for passphrase to unlock encrypted container.
> +
>  @item GRUB_INIT_TUNE
>  Play a tune on the speaker when GRUB starts.  This is particularly useful
>  for users unable to see the screen.  The value of this option is passed
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]

GRUB_ENABLE_CRYPTODISK vs GRUB_CRYPTODISK_ENABLE ?

[TJ]

What is the difference between GRUB_ENABLE_CRYPTODISK and GRUB_CRYPTODISK_ENABLE?

GRUB_ENABLE_CRYPTODISK only seems to be used in an export in "util/grub-mkconfig.in" whereas GRUB_CRYPTODISK_ENABLE is used in "util/grub-{install,mkconfig_lib}.in".

On Ubuntu 13.10 at least I found that I had to edit the export in 'grub-mkconfig' to be GRUB_CRYPTODISK_ENABLE in order for the installer scripts to correctly install for whole-disk encryption.

Unless there's some Makefile or pre-processor magic going on which I've missed I believe this might be a bug.

Re: GRUB_ENABLE_CRYPTODISK vs GRUB_CRYPTODISK_ENABLE ?

[Andrey Borzenkov]

В Fri, 27 Sep 2013 17:19:47 +0100
TJ <grub-devel@iam.tj> пишет:

> What is the difference between GRUB_ENABLE_CRYPTODISK and GRUB_CRYPTODISK_ENABLE?
> 
> GRUB_ENABLE_CRYPTODISK only seems to be used in an export in "util/grub-mkconfig.in" whereas GRUB_CRYPTODISK_ENABLE is used in "util/grub-{install,mkconfig_lib}.in".
> 
> On Ubuntu 13.10 at least I found that I had to edit the export in 'grub-mkconfig' to be GRUB_CRYPTODISK_ENABLE in order for the installer scripts to correctly install for whole-disk encryption.
> 
> Unless there's some Makefile or pre-processor magic going on which I've missed I believe this might be a bug.
> 


Looks like it.

From: Andrey Borzenkov <arvidjaar@gmail.com>
To: grub-devel@gnu.org
Subject: [PATCH] consistently use GRUB_ENABLE_CRYPTODISK everywhere

Both GRUB_ENABLE_CRYPTODISK and GRUB_CRYPTODISK_ENABLE
were used in different places. Use GRUB_ENABLE_CRYPTODISK everywhere
for consistency with other GRUB_ENABLE_* or GRUB_DISABLE_* parameters.

Signed-off-by: Andrey Borzenkov <arvidjaar@gmail.com>

---
 util/grub-install.in      | 2 +-
 util/grub-mkconfig_lib.in | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/grub-install.in b/util/grub-install.in
index ce8f840..7cd089b 100644
--- a/util/grub-install.in
+++ b/util/grub-install.in
@@ -632,7 +632,7 @@ if [ "x${devabstraction_module}" = "x" ] ; then
 	fi
     fi
 else
-    if [ x$GRUB_CRYPTODISK_ENABLE = xy ]; then
+    if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
 	for uuid in "`echo "${grub_device}" | xargs "${grub_probe}"  --target=cryptodisk_uuid --device`"; do
 	    echo "cryptomount -u $uuid" >> "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/load.cfg"
 	done
diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
index 016d8c5..98d8a77 100644
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -71,7 +71,7 @@ is_path_readable_by_grub ()
     return 1
   fi
 
-  if [ x$GRUB_CRYPTODISK_ENABLE = xy ]; then
+  if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
       return 0
   fi
   
@@ -138,7 +138,7 @@ prepare_grub_to_access_device ()
     echo "insmod ${module}"
   done
 
-  if [ x$GRUB_CRYPTODISK_ENABLE = xy ]; then
+  if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
       for uuid in "`"${grub_probe}" --device "$@" --target=cryptodisk_uuid`"; do
 	  echo "cryptomount -u $uuid"
       done
-- 
tg: (144214a..) u/grub_cryptodisk_enable (depends on: master)