kexec, initramdisk and dmcrypt questions

kexec, initramdisk and dmcrypt questions

[Christoph Anton Mitterer]

Hi.

I'd like to setup a system where all partitions (including the root file
system) are encrypted using dmcrypt.
Of course I need some place where I can boot from, and I intended to use
an USB-stick for that purpose.

Now I think there are (at least) the following two ways of doing this:

1) Traditional way
Boot from the USB-Stick with and initramsdisk,.. that sets up dmcrypt
and mounts the root-filesystem.

-Has the advantages that it's pretty well supported by some distros
(e.g. Debian) and it's very easy to setup.
-Has the disadvantages, that I'll always have to update the contents of
the stick when I install a new kernel (btw: does anybody know of an
write-once USB-Stick? ;) )

After booting it should be possible to just plug out the stick (as the
kernel and the modules are already loaded), or not?



2) using kexec.
I could imagine that my USB-stick serves just as loader,... having a
kernel and initrd that sets up dmcrypt/mounts root and calls kexec for
the "real" working kernel and the corresponding initramdisk, that are
both stored encrypted on e.g. the root filesystem in /boot/ or so...
The initrd of the working kernel contains the dmcrypt keys and
automatically sets up the mappings and mounts the filesystems.

-Has the advantage that this is nearly transparent for the system,
especially for tools that automatically create the initramdisk (stuff
like update-initramfs in Debian)
-And I would (nearly) never have to change the contents of the
loader-USB-stick.

Now I've read through the kexec documentation and I wonder wheter using
kexec might have some negative impact?
As the firmware is already initialised (by the loader kernel??) and the
working kernel must be put on different addresses.

I'm also not sure how to use the "architecture options" from the kexec
userspace tools?

Any ideas, help, suggestions, or threads ;) ?

Thanks and best wishes,
Chris.