[bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesyst

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesyst

From:	Josselin Poiret
Subject:	[bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems
Date:	Fri, 31 Dec 2021 18:58:28 +0100

Hello,

chayleaf <chayleaf@pavluk.org> writes:

> Wouldn't it be fine if the key is stored on an external device and the
> user supplies a G-Expression that loads it?  Or is the G-Expression
> executed at reconfigure as opposed to at boot?

It would indeed be fine.  The open-luks-device g-exp is executed at
boot, in early userspace (ie no root mounted yet, still in the
initramfs), by `build-system` in (gnu build linux-boot) as a member of
`pre-mount`.

> Storing the key itself is indeed insecure.  However, I think the
> ability to load the key from something other than user input could
> become a building block for hardcoding the key in more secure ways. 
> For example, as far as I can tell, Grub supports multiple initrd
> images [1], if the user puts their key on the boot partition in the
> cpio format and tells Grub to use it as a secondary initrd, perhaps it
> could be done.

Yes, this is what I was suggesting, although I don't really know how
Linux handles multiple initrds.  Is the resulting initramfs a union of
the different initrds?

> I do agree that at the very least the potential security issues
> hardcoding the key can cause need to be documented.

Agreed.

> The biggest problem is there need to be multiple generations available
> at the same time.  While you could create a separate "private" only-
> read-by-root initrd store for this purpose, that would be too much work
> for just a single feature.  A possible compromise is maintaining a
> single out-of-store initrd at a given time, or, combined with the
> above, the "secret" initrd parts could be stored in a separate archive,
> similar to how grub resides in its own directory outside of the store.

Out-of-store that's specified by the user seems like a good idea.  Do
you think you could handle adding additional initrd support to GRUB?  I
don't think it should be that hard.

Apart from that, the patch would be ok to merge for me if there was some
accompanying documentation that describes the security risks in a way
that would be understable for a layperson.

Best,
Josselin Poiret

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems, chayleaf, 2021/12/29
- [bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems, Josselin Poiret, 2021/12/30
  - [bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems, chayleaf, 2021/12/30
    - [bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems, Josselin Poiret <=

Prev by Date: bug#51241: [PATCH 1/1] gnu: ragel: Fix build of knot on aarch64-linux.
Next by Date: bug#52875: [PATCH] gnu: Add musikcube.
Previous by thread: [bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems
Next by thread: [bug#52887] [PATCH staging] containers: Add CLONE_NEWCGROUP cgroup namespace support
Index(es):
- Date
- Thread