From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VpRht-0000k8-TO for mharc-grub-devel@gnu.org; Sat, 07 Dec 2013 18:54:45 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53376) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VpRhn-0000k0-Qr for grub-devel@gnu.org; Sat, 07 Dec 2013 18:54:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VpRhj-0004oo-4Y for grub-devel@gnu.org; Sat, 07 Dec 2013 18:54:39 -0500 Received: from mail-ea0-x235.google.com ([2a00:1450:4013:c01::235]:50223) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VpRhi-0004oD-SG for grub-devel@gnu.org; Sat, 07 Dec 2013 18:54:35 -0500 Received: by mail-ea0-f181.google.com with SMTP id m10so908817eaj.26 for ; Sat, 07 Dec 2013 15:54:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=d3aDQt+OB/yvagy/9HUigHiEbFQEblOoT8ozvsP3ETA=; b=VfnMguTD0F+dlUTd2ALRop4RLvXzswDEr9zYP/WPydkq+Mue40BiaspmSjUEJ4a+Sq T2FAC/qcB1dLFx2xqKs14DwQ5XKAMP7Rf7481ILHFuFuddCj6jlPxJwQBTIWcMQIOnI5 Ci6VfQNv/pJfTxFqJZtoc/mN8O4irmqB+y2olcV+rHDEOc3LuVgMJI2JBv6HF6AZjQ1g yc9MYpTwt2Qk7f3UVx1b/8p9cFLsERukVji/R4NFSObCSzn9Jx+Rdip3+0H21Caw625x RsQWRW3NzVivB1yhXmw9fpzWLmktar+BSxt2CYPbAmlUP47LGVyzTVqMHNGUQ3GPzRFk 5fyg== X-Received: by 10.14.94.130 with SMTP id n2mr1087945eef.99.1386460473978; Sat, 07 Dec 2013 15:54:33 -0800 (PST) Received: from [192.168.1.16] (85-188.196-178.cust.bluewin.ch. [178.196.188.85]) by mx.google.com with ESMTPSA id e43sm11433363eep.7.2013.12.07.15.54.33 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Dec 2013 15:54:33 -0800 (PST) Message-ID: <52A3B538.7030000@gmail.com> Date: Sun, 08 Dec 2013 00:54:32 +0100 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10 MIME-Version: 1.0 To: The development of GNU GRUB Subject: Re: Behaviour if GRUB_ENABLE_CRYPTODISK is unset? References: <20131207132726.GA28299@riva.ucam.org> <52A32779.9030604@gmail.com> <20131207140058.GB28299@riva.ucam.org> <8DA92A3A-4743-4924-932E-CDD51EAE9303@colorremedies.com> In-Reply-To: <8DA92A3A-4743-4924-932E-CDD51EAE9303@colorremedies.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GqK60hgojA2QSPwp4CRvThjm3n88U5KJS" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4013:c01::235 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Dec 2013 23:54:44 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GqK60hgojA2QSPwp4CRvThjm3n88U5KJS Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 08.12.2013 00:42, Chris Murphy wrote: >=20 > On Dec 7, 2013, at 7:00 AM, Colin Watson wrote: >=20 >> On Sat, Dec 07, 2013 at 02:49:45PM +0100, Vladimir '=CF=86-coder/phcod= er' Serbinenko wrote: >>> On 07.12.2013 14:27, Colin Watson wrote: >>>> I've never totally understood why GRUB_ENABLE_CRYPTODISK is optional= to >>>> begin with; it seems like a bit of a "do you want things to work? [y= /N]" >>>> option to me. My preferred approach would be to delete the option. = >>> >>> Cryptodisk support is allowed to ask user for password which is not >>> possible for unattended systems. >>> E.g. in old config GRUB was looking for unifont under /usr/share. If = you >>> make cryptodisk default a server doing this would stop in password >>> prompt rather than skipping unifont and going to text mode and >>> continuing booting. >> >> OK. I get that we don't necessarily want to be noisy if it's just for= >> something optional. But if somebody's /boot is on LUKS, it would be >> nice to tell them how to enable support for that rather than just havi= ng >> grub-mkconfig fail, right? I think grub-install already gives specifi= c >> instructions, so we could do that in grub-mkconfig too. >=20 > Encrypted /boot seems to be an edge case, at least for x86 UEFI, on whi= ch increasingly systems are shipping with a firmware that doesn't initial= ize USB at all in order shave off boot time. For these systems, as far as= I know, GRUB, or any boot manager, can't initialize USB while boot servi= ces is still active. So we're looking at systems with no interactive mean= s to manipulate a boot menu at boot time, or type in passwords. Instead i= t seems we need an application that modifies e.g. grubenv so the grub.cfg= knows what to boot.=20 >=20 > Anyway, I'm uncertain about the benefit of encrypted /boot. If boot fil= es are supposed to be protected from modification then that's what secure= boot is for. >=20 >=20 That's all beside the original topic of this thread. This is unfortunate that this becomes a tendency on this list to usurp threads for unrelated comments. And note that encrypted /boot as part of encrypted / is easier to manage in some cases > Chris Murphy > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >=20 --GqK60hgojA2QSPwp4CRvThjm3n88U5KJS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iF4EAREKAAYFAlKjtTgACgkQmBXlbbo5nOvDOAD/ftXavqMYrC7g1bUKGQLl0UfA sCt2dv5XATHe81cifK4BAJY+9JNZvnnH3+6RofKGWQej3nWtSXqraZO1BSCIYo/4 =5djw -----END PGP SIGNATURE----- --GqK60hgojA2QSPwp4CRvThjm3n88U5KJS--