From: Andrey Borzenkov <arvidjaar@gmail.com>
To: grub-devel@gnu.org
Subject: Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset?
Date: Sat, 7 Dec 2013 17:54:41 +0400 [thread overview]
Message-ID: <20131207175442.5f797aba@opensuse.site> (raw)
In-Reply-To: <20131207132726.GA28299@riva.ucam.org>
В Sat, 7 Dec 2013 13:27:26 +0000
Colin Watson <cjwatson@ubuntu.com> пишет:
> I'm carrying this old patch in Debian at the moment, which predates the
> addition of LUKS support to GRUB:
>
> Index: b/util/grub-mkconfig_lib.in
> ===================================================================
> --- a/util/grub-mkconfig_lib.in
> +++ b/util/grub-mkconfig_lib.in
> @@ -130,6 +130,15 @@
> esac
> done
>
> + if dmsetup status $device 2>/dev/null | grep -q 'crypt[[:space:]]$'; then
> + grub_warn \
> + "$device is a crypto device, which GRUB cannot read directly. Some" \
> + "necessary modules may be missing from /boot/grub/grub.cfg. You may" \
> + "need to list them in GRUB_PRELOAD_MODULES in /etc/default/grub. See" \
> + "http://bugs.debian.org/542165 for details."
> + return 0
> + fi
> +
> # Abstraction modules aren't auto-loaded.
> abstraction="`"${grub_probe}" --device $@ --target=abstraction`"
> for module in ${abstraction} ; do
>
> Now, this is obviously wrong because it renders LUKS support mostly
> non-functional even if you have GRUB_ENABLE_CRYPTODISK=y, so I'd like to
> drop it, but that does mean that people who *don't* have
> GRUB_ENABLE_CRYPTODISK=y will once again see no hint of what to do.
>
> I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional to
> begin with; it seems like a bit of a "do you want things to work? [y/N]"
> option to me. My preferred approach would be to delete the option. If
> there's some reason we can't do that, perhaps it would be worth checking
> for whether it would have any effect if enabled, and if so print an
> explanatory warning?
>
I think it came up recently and explanation was, in this case grub may
unintentionally end up to need more crypto devices than user expects and
thus waiting for passphrase on boot.
One reason it may happen is due to font handling. First, undocumented
GRUB_FONT which can theoretically point anywhere; second fallback
to /usr/share and similar if GRUB_FONT is not defined. So even if /boot
itself is unencrypted, you may suddenly pull in encrypted root.
prev parent reply other threads:[~2013-12-07 13:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-07 13:27 Behaviour if GRUB_ENABLE_CRYPTODISK is unset? Colin Watson
2013-12-07 13:49 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-12-07 14:00 ` Colin Watson
2013-12-07 23:42 ` Chris Murphy
2013-12-07 23:54 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-12-09 11:37 ` Colin Watson
2013-12-10 0:17 ` Chris Murphy
2013-12-07 13:54 ` Andrey Borzenkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131207175442.5f797aba@opensuse.site \
--to=arvidjaar@gmail.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).