On Thu, Oct 29, 2015 at 12:10 PM, <stakanov@freenet.de> wrote:
This is a fresh install of the latest snapshot of TW with password protected grub and Luks LVM. No gimmicks other than this modified or set. So this does not work, at least if the BIOS is not UEFI but an older Award BIOS. I checked and that option to allow boot if no parameters are altered is already set. I did unset it and reset it and safed. Still it askes for password of grub2 or it will not boot.
https://bugzilla.opensuse.org/show_bug.cgi?id=952626
There are two possibilities: a) bug in grub
b) malware in the usb-firmware setting a boot parameter before starting up the system. History behind that: I have had a very strange behavior of the keyboards of my PC. I had originally a MS keyboard on this system with former installation but after loading the kernel I would never been able to input my luks password (if it was not with the MS keyboard used at install, e.g. a Cheery keyboard was seen and working up to the kernel was loaded than practically without function). That raised in me the doubt that something emulated the keyboard. Even more so because I had the very same behavior before on my notebook. On that notebook after inserting an USB key of untrusted source, my password in a CLI for root suddenly echoed, my system was blocking and I found rcp-bind listening permanently and persistent on port 111 to the www. The keyboard would not work anymore on the docking station after a kernel upgrade while the notebook keyboard did. (While the usb-key in question was used only once on the notebook w/o dockingstation. That famous foreign usb-key did not mount as expected in opensuse. Actually, it did not mount at all because in secure mode, the pop-up asking root to mount it was never appearing. Hence I gave it a try with a new install from scratch by formatting all the HDD and then giving it a try. This very USB-key I did use it also on my PC afterwards (because I was rightly not knowing about a potential problem with USB.
Long story short, that's all fishy to me and I would like to be sure not having "little green men".
In the light of the bad-usb story (which can be apparently programmed by whatever script kiddy), how can one check if an unwanted boot parameter has been passed to grub while booting up? Or does journalctl document such parameters somewhere? BTW, i am also getting while booting the system now the following error message in my logs that I sincerely do not understand: from "journalctl -r". AFAIK I do not have an fstab in Tumbleweed from the scratch.
Oct 29 09:19:25 linux-e3dj systemd[1]: Started Reload Configuration from the Real Root. Oct 29 09:19:25 linux-e3dj systemd[1052]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with error code 1. Oct 29 09:19:25 linux-e3dj systemd-fstab-generator[1055]: Failed to create mount unit file /run/systemd/generator/sysroot.mount, as it already exists. Duplicate entry in /etc/fstab?
Sorry for being paranoid but to a certain extent I have reason to be. If it is just a bug in grub, I am cheerful and everybody is happy to have found one, to report and correct, right? :-) As it is, it is really annoying to have to put in the user "root" and the password of Grub every boot.
-----Ursprüngliche Nachricht----- Von: Andrei Borzenkov Gesendet: Do. 29.10.2015 09:05
I did set passwordprotected grub, but I was used to the behavior that you are asked the password only if you set supplemental boot parameter. Has this changed?
There should be "Allow to boot locked default entry without password" option.
Why am I asked for the "user". Isn't it expected by default that it is root?
yast-bootloader creates password for user root. But GRUB has no way to know, if you want to authenticate yourself as user "root" or any other user. --
-----Ursprüngliche Nachricht Ende-----
--- Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org