grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keyfile Support for GRUBs LUKS


From: Vladimir 'phcoder' Serbinenko
Subject: Re: Keyfile Support for GRUBs LUKS
Date: Thu, 21 Nov 2013 16:31:21 +0100

Why do you need offset and size options? keyfile option should be repeteable. The whole array would be passed down and file would be opened instead before reading password and concatebated with it unless --no-password was specified as well. If you have remaining questions feel free to ask here or on IRC.

On Nov 20, 2013 12:43 AM, "Ralf Ramsauer" <address@hidden> wrote:
Hi,

yesterday I realised, that GRUB is already supporting LUKS and even
simple DSA signature checking.

I was thinking about the following setup:
  - fully encrypted harddisk (LUKS) (incl. rootfs).
  - no bootloader on harddisk
  - kernel + initrd inside encrypted partition
  - optionally: signatures of the kernel + initrd

For "trusted" booting, I thought about an USB stick, that just includes
GRUB, a public key for verification and a keyfile for LUKS.
Using that setup, no password input would be required during boot. The
USB stick can be considered as "trusted environment".

Unfortunately, GRUB doesn't support keyfile for Luks up to now. As I'm
quite familiar with dm-crypt and LUKS I tried to implement the keyfile
feature to GRUB.
After spending several hours trying to get a deeper insight into the
GRUB internas I finally resigned, as I was missing documentation on
several things...

I was very confused about the way how GRUB2 is handling its modules and
about the strategies how functions are exactly called.
The aim is to implement three additional options to cryptodisk.c resp.
luks.c:
 -k keyfile [e.g. (hd2,msdos3)/mysecretkey]
 -o keyfile offset [optional, default: 0]
 -s keyfile size [optional, default: keyfilesize]

Using LUKS, a keyfile can simply be treated like a passphrase, which
basically is already implemented.

I would appreciate, if perhaps someone of you could help me with this issue.

Thanks in advance!
  Ralf

--
Ralf Ramsauer

PGP: 0x8F10049B


_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel

reply via email to

[Prev in Thread] Current Thread [Next in Thread]