On Thu, Apr 29, 2021 at 12:30 PM Petr Vorel
wrote:
On 28.04.2021 23:11, Petr Vorel wrote:
Dne 28. 04. 21 v 19:20 Andrei Borzenkov napsal(a):
On 28.04.2021 18:27, Petr Tesařík wrote: > Dne 15. 04. 21 v 14:16 Petr Vorel napsal(a): >>> On 14.04.2021 21:05, Petr Vorel wrote: >>>>> On 2021/04/13 22:24, Oliver Neukum wrote: >>>>>> I have worse cases for you. / can be on LVM. >>>>>> The assumption that a block cannot move without FS action is just >>>>>> not right. >>>>> ---- >>>>> Hey, many tell folks that boot should be a normal disk. >>>>> Encrypted and raids...tend to be less well supported. >>>> Yes, things like "full disk encryption" (LVM on LUKS on whole disk, >>>> i.e. without separate /boot) is not supported by openSUSE installer :(. >>> Really? Have you tried? >> Hm, I cannot find the bug I filled in 2017, which ended as wontfix. >> But right, things might have changed, I'll retest it. > Even if this works, how would GRUB read its configuration file from an > encrypted disk? Are you suggesting that GRUB asks for the password > first? Yes.
> And then the Linux OS asks for this password again before it can > mount the root filesystem? It is possible to avoid it (arguably with lowered security) by storing keys in initrd.
> How is this an improvement over a separate > /boot partition?
You are welcome to implement protocol to pass secrets between bootloader and kernel. Some of *BSD flavors support it and it is also implemented in grub.
That's not my point. My point is that there is nothing secret stored under /boot. If it is a separate partition, it may be left unencrypted, avoiding the need to give a password to the boot loader. That's how my system boots today. If the kernel is moved to /usr (encrypted in my setup), I'll end up typing my disk password twice on each boot, and I perceive it as a regression.
Do we support /etc/crypttab [1]?
Is it a joke? Not sure what particularly you mean :). But yes, I see we use it in openSUSE as well for adding cryptdevice config.
Well, it's not all. And I forgot the other pieces [3]: hook for initramfs (to copy "password" file crypto_keyfile.bin) and grub config (adding cryptdevice to GRUB_CMDLINE_LINUX and GRUB_ENABLE_CRYPTODISK=yes)
That allows passing the password from grub to initrd.
That's not "passing secret from bootloader to kernel". That is "storing key in initrd" which I already mentioned. OK, sorry. It's just it has the same effect for me (not having to type password twice).
Kind regards, Petr