grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: enable cryptomount to read passphrase from file

From: Alexandre Oliva
Subject: Re: enable cryptomount to read passphrase from file
Date: Mon, 19 Jan 2015 04:33:12 -0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) 
On Jan 18, 2015, Andrei Borzenkov <address@hidden> wrote:

> I suggest you cooperate with John for this; he has a set of patches to
> support it as well. See also http://grub.johnlane.ie/.

Nice, for some reason I didn't find his patchset in my web searches.  I
ended up using his code to update the crypto modules in libreboot on my
x60, and a slight variant of mine to update them for use along with BLAG
200k's grub on other machines that are not yet running a Free BIOS.  If
there's interest, I can post my updated patches here, but I'd be just as
happy if John's patchset made it.

> Just pass in passphrase+len. Do not expect anything about content of
> passphrase file at all.

Done.

> You can always unlock encrypted filesystem manually, right?

As long as grub isn't hosed ;-) In some of my attempts earlier today, it
was.  Fortunately I'd saved a working grub on a pen drive, and so
bringing the machine back to a working condition wasn't too hard.

> Hmm ... I'm not sure whether we should fallback to asking user. The whole
> point of using keyfile is to avoid user interaction in the first place,
> right?

Well, sort of.  My goal was to let the machine boot up with a pen drive
or entering the key manually, so the fallback made sense.  I can get
this effect by just trying with --keyfile first, and without it
afterwards.

>> +      else if ((grub_size_t)size >= sizeof (buf))

> Can it be larger than sizeof(buf)?

No, but it doesn't hurt to play safe, does it?

> Is it prohibited to have new line or carriage return in passphrase file?

That was one bit I was uncertain about.  Keyboard-entered ones certainly
can't, but there's no reason I can think of to actually exclude them
from files.  I was concerned, however, about someone writing a
passphrase normally entered by hand to a file with a trailing newline.
That wouldn't work.  The file should not have the trailing newline.

-- 
Alexandre Oliva, freedom fighter    http://FSFLA.org/~lxoliva/
You must be the change you wish to see in the world. -- Gandhi
Be Free! -- http://FSFLA.org/   FSF Latin America board member
Free Software Evangelist|Red Hat Brasil GNU Toolchain Engineer
reply via email to
[Prev in Thread] Current Thread [Next in Thread]