[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cryptomount is blind (useless systematic check, lvm, etc.)
From: |
Andrei Borzenkov |
Subject: |
Re: Cryptomount is blind (useless systematic check, lvm, etc.) |
Date: |
Sun, 9 Nov 2014 22:24:58 +0300 |
В Sun, 09 Nov 2014 16:53:50 +0100
"Garreau\, Alexandre" <address@hidden> пишет:
> Hello, I’ve got some problems with cryptomount, trying to make a
> superportable script that could automatically detect any sort of OS or
> bootable thing and offer options to boot it. I’ve encountered multiples
> problems since beginning (like the fact I can have to enter a same
> password twice for instance for GRUB login and cryptomount, or syslinux
> sourcing not working yet), but now here a new that I think could be
> fixed improving cryptomount features (again):
>
> I have a whole harddisk GPT-partitionned with one big LUKS partition
> containing a LVM volume that contain two partitions: root and swap (it’s
> useful to have it encrypted, especially for secure hibernation).
>
> The first problem I noticed is this one: doing cryptomount -a I see
> “(crypto0)” as “(lvm/LVM713-root)” appear and that’s fine, but if I want
> to mount only my harddisk, or to mount devices one after other to mount
> only some devices (for example only external (ata, usb, fd) or internal
> ones, or not to mount already mounted devices and save time), I noticed
> “cryptomount (ahci0,gpt1)” makes “(crypto0)” appear, but not
> “(lvm/LVM713-root)”. There’s no command to mount LVM, normally it’s
> automatically done when detecting a new device, but actually cryptomount
> do it only with option “-a”.
>
There is no such thing as "mount" in grub. Every file name includes
device identification (explicitly or implicitly as $root). Some
commands like "ls" or "cryptomount -a" scan all devices, which probably
you interpret as "mount".
When you try access (lvm/LVM713-root) grub will *always* scan available
devices to find this volume. There is no need to "mount" it.
> The second problem I got is because of the first: I’m forced to use -a,
> but I can’t try to mount only internal or external devices with -a, and
> thus I’m forced to make GRUB check *again* internal devices when I only
> want it to check for possible new encrypted external devices.
>
> The third problem is that when it checks for possible new encrypted
> external devices (via a submenu I made for external devices, so that it
> get refreshed at the time you enter in it) it takes a lot of time to
> *check again already checked* devices. Thus it not only takes lot of
> time the first time I enter the submenu to decrypt what’s to decrypt,
> that’s normal and fine, but it takes lot of time also *second* time I go
> in this submenu, without asking for password (which is normal: there’s
> nothing more to decrypt&mount), so when entering in it the screen remain
> void a lot of time (which is quite annoying, and yet creepy for an
> unaware user).
>
> That either could be solved trying to cryptomount each device once after
> once if it’s new, checking that storing UUIDs of all present devices in
> a variable before each check and then trying to cryptomount only what’s
> not present in it. That’s a great amount of complexity but the worst is
> I have the problem of being forced to use “-a” to mount LVM.
>
> Thus just fixing the LVM problem could solve all the other problems, but
> adding features not to check twice a device (and even not having to
> check UUIDs for internal devices for that since they normally won’t
> change) inside cryptomount could really be great, it would decrease
> config complexity and make it more usable (and I don’t see how any
> problem a such systematic new device check not to systematically loose
> time internally checking could cause problems).
signature.asc
Description: PGP signature