[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: enable cryptomount to read passphrase from file
From: |
Alexandre Oliva |
Subject: |
Re: enable cryptomount to read passphrase from file |
Date: |
Mon, 19 Jan 2015 04:33:12 -0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
On Jan 18, 2015, Andrei Borzenkov <address@hidden> wrote:
> I suggest you cooperate with John for this; he has a set of patches to
> support it as well. See also http://grub.johnlane.ie/.
Nice, for some reason I didn't find his patchset in my web searches. I
ended up using his code to update the crypto modules in libreboot on my
x60, and a slight variant of mine to update them for use along with BLAG
200k's grub on other machines that are not yet running a Free BIOS. If
there's interest, I can post my updated patches here, but I'd be just as
happy if John's patchset made it.
> Just pass in passphrase+len. Do not expect anything about content of
> passphrase file at all.
Done.
> You can always unlock encrypted filesystem manually, right?
As long as grub isn't hosed ;-) In some of my attempts earlier today, it
was. Fortunately I'd saved a working grub on a pen drive, and so
bringing the machine back to a working condition wasn't too hard.
> Hmm ... I'm not sure whether we should fallback to asking user. The whole
> point of using keyfile is to avoid user interaction in the first place,
> right?
Well, sort of. My goal was to let the machine boot up with a pen drive
or entering the key manually, so the fallback made sense. I can get
this effect by just trying with --keyfile first, and without it
afterwards.
>> + else if ((grub_size_t)size >= sizeof (buf))
> Can it be larger than sizeof(buf)?
No, but it doesn't hurt to play safe, does it?
> Is it prohibited to have new line or carriage return in passphrase file?
That was one bit I was uncertain about. Keyboard-entered ones certainly
can't, but there's no reason I can think of to actually exclude them
from files. I was concerned, however, about someone writing a
passphrase normally entered by hand to a file with a trailing newline.
That wouldn't work. The file should not have the trailing newline.
--
Alexandre Oliva, freedom fighter http://FSFLA.org/~lxoliva/
You must be the change you wish to see in the world. -- Gandhi
Be Free! -- http://FSFLA.org/ FSF Latin America board member
Free Software Evangelist|Red Hat Brasil GNU Toolchain Engineer