From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1Z3dz5-0004ju-U8 for mharc-grub-devel@gnu.org; Sat, 13 Jun 2015 01:27:59 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50074) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z3dz3-0004ia-CP for grub-devel@gnu.org; Sat, 13 Jun 2015 01:27:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z3dz0-0005XM-5K for grub-devel@gnu.org; Sat, 13 Jun 2015 01:27:57 -0400 Received: from mail-lb0-x22f.google.com ([2a00:1450:4010:c04::22f]:34261) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z3dyz-0005X5-TY for grub-devel@gnu.org; Sat, 13 Jun 2015 01:27:54 -0400 Received: by lbcmx3 with SMTP id mx3so28636936lbc.1 for ; Fri, 12 Jun 2015 22:27:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type; bh=4lt8EhuQkTw6JJVwIJQh6WdyMMDBhw7Yg98zqogR6PM=; b=061KQcLkBoex+O5wKGbx2XyDgtXR+8d0MdUpxl4E68NGjtlcoQF4WcNC2O7SSg+Srm 8TzbPOHCJsaLywWYoMamyY0rXJirWPGn814m2y5czgJI+xoJpX7OxUZwe45S8AJrYipQ N6VZp6YZINbZFMoGsETLypR2y8qQVYMgryAdjyiYS5dnhdZLzjVgDbOGcnObfV3IKKH7 /APQe1+ouii75xBvXb3syBjOtNnylddazeFQN0wmAlwtjvufQ7dN5nmljk5tPZ5yXEj/ 46+RSXgPmdUUNiQmwJfsiQerom0TkHetGiFVaE7J/Zq6jR6GeGq3L91QOfZvYSIq3q6X XkVw== X-Received: by 10.152.121.42 with SMTP id lh10mr18504627lab.0.1434173271989; Fri, 12 Jun 2015 22:27:51 -0700 (PDT) Received: from opensuse.site (ppp91-76-14-38.pppoe.mtu-net.ru. [91.76.14.38]) by mx.google.com with ESMTPSA id l3sm1227428lbj.46.2015.06.12.22.27.50 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jun 2015 22:27:51 -0700 (PDT) Date: Sat, 13 Jun 2015 08:27:49 +0300 From: Andrei Borzenkov To: John Lane Subject: Re: Patches to cryptomount (plain support, keyfiles and LUKS detached headers) Message-ID: <20150613082749.383fc60f@opensuse.site> In-Reply-To: <557B2FD4.1030604@jelmail.com> References: <548EC66C.2050006@jelmail.com> <54C165DD.4010109@gmail.com> <557B2FD4.1030604@jelmail.com> X-Mailer: Claws Mail 3.11.0 (GTK+ 2.24.28; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/gFKvxSBQwmXBgNC=rgA_r+a"; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c04::22f Cc: grub-devel@gnu.org X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 05:27:58 -0000 --Sig_/gFKvxSBQwmXBgNC=rgA_r+a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =D0=92 Fri, 12 Jun 2015 20:15:32 +0100 John Lane =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > Sorry, we cannot accept patches which aren't sent to this ml by author. > I've attached the patches here. They apply clean to c945ca75. Sending them as patch series in mail body would make it easier to review and comment on them. > > I'm not sure that all features are good. For starters plain mode is just > > difficult to setup and use. Please provide usecases not already covered > > by current features. >=20 > My target was to establish LUKS volumes with detached headers and key > files and this is not already covered by current features. >=20 > My specific use-case is booting secured systems where the boot > environment (Grub, LUKS headers and keys) is contained on removable > media such as a USB key. The non-removable hard-drive has no boot code > on it; it just appears as an unformatted disk unless the removable key > is used. >=20 > To support this, it was necessary to add support to Grub for detached > LUKS headers and keys. >=20 > I am aware of a number of other people enquiring about this specific > functionality so I am not alone in thinking it's a valid use-case. >=20 > Regarding plain mode, I don't understand why plain mode is "difficult > to setup and use". I did the work on plain mode at the same time because > one of the disks that I needed to work with was a plain mode disk. I > asked about the existing but non-functioning "peter/devmapper" branch > and spent some time trying to get that to work. In the end, and as I > understand how LUKS uses dm-crypt, it seemed better to re-use the > existing code base in the cryptodisk routines because this is more > current, used and tested. By doing that I was able to get it to work > very quickly. >=20 The problem is not coding it. It is impossible to identify plain mode crypto-containers at run time. So it depends on user knowing (or guessing) which of disks to use. It is pure manual stuff which cannot be integrated in GRUB grub-install or grub-mkconfig. You have 5 disks each encrypted with different key that are plain/use detached header. How can you setup GRUB to automatically find out the right key/header for each disk? I personally would appreciate keyfile support as separate patch, not buried in plain mode support. Especially if it would be accompanied by grub-mkconfig changes to automate generation of grub.cfg to use it.=20 > I've been using my changes in daily use since my original postings last > December. I've just updated to the latest head and the patches still > merge cleanly. >=20 > I'd appreciate it if these changes could be considered. If any more > information would be useful please let me know. >=20 > @@ -488,6 +496,7 @@ grub_cryptodisk_open (const char *name, grub_disk_t d= isk) > =20 > if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) =3D= =3D 0) > { > + grub_crypto_uuid_dehyphenate((char *)name + sizeof ("cryptouuid/")= ); This alters original name passed to grub_disk_open. As already mentioned it is better to use comparison function that ignores hyphens. --Sig_/gFKvxSBQwmXBgNC=rgA_r+a Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlV7v1YACgkQR6LMutpd94xWEQCcCnakOxfb0gSk46cHfqGpEwxN EgsAn0vw0GxDPUywXRP4am0Za8+aJXhS =W3Wu -----END PGP SIGNATURE----- --Sig_/gFKvxSBQwmXBgNC=rgA_r+a--