[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GRUB & crypto? (& generally, more info on undocumented modules?)
From: |
Diagon |
Subject: |
Re: GRUB & crypto? (& generally, more info on undocumented modules?) |
Date: |
Wed, 24 Dec 2014 16:47:59 -0800 |
User-agent: |
Zoho Mail |
---- On Mon, 22 Dec 2014 14:17:36 -0800 Jordan Uggla wrote ----
[...]
>As I understand it,
>when the kernel pivots to the actual root filesystem and thus no
>longer needs the initramfs that's loaded into RAM, it simply frees
>that memory without first zeroing it. That means that a process,
>running as any user, can just malloc ram and reads its uninitialized
>contents in a loop until it comes upon something that looks like your
>LUKS keyfile. Eventually, even if it takes multiple boots, it will
>succeed. This is why it's so important that an official protocol be
>developed between the kernel and bootloader, because then the kernel
>knows to treat any memory containing credentials carefully and ensure
>that it doesn't leak out to somewhere it shouldn't.
>--
>Jordan Uggla (Jordan_U on irc.freenode.net)
Fascinating, Jordan. Thanks for the insight.
>From earlier in this thread:
>Grub can read files from LUKS and GELI volumes, but only FreeBSD's
>kernel currently has a protocol for passing credentials from grub to
>the kernel, so if you're using GNU/Linux and you use grub's LUKS
>support to read your kernel from your LUKS encrypted root, you will
>need to enter your password twice at boot: Once for grub, and again
>for linux.
Does this mean FreeBSD/GELI, handle this problem differently? That they have
an "official protocol" for the bootloader/kernel link, and manage credentials
more carefully? If so, I might be tempted to start a move that I had intended
for some time in the future ...
(I am not too familiar with the BSD's yet, but I gather this is not the case
when using grub with Net/OpenBSD?)
/D.
PS. Also from earlier in this thread:
> The "hwmatch" command might be useful for you, but unfortunately it's
> an Ubuntu specific addition that hasn't made its way upstream.
Could you give me the usage of this command? All I could find under "usage" is:
hwmatch MATCHES-FILE CLASS
Match PCI devices.
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), (continued)
Re: GRUB & crypto? (& generally, more info on undocumented modules?), Diagon, 2014/12/19
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), John Lane, 2014/12/19
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), Diagon, 2014/12/20
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), John Lane, 2014/12/21
- Re: GRUB & crypto? (& generally, more info on undocumented modules?) - Blog with cyrptomount howto's, Diagon, 2014/12/22
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), Jordan Uggla, 2014/12/22
- Re: GRUB & crypto? (& generally, more info on undocumented modules?),
Diagon <=