On Thu, Apr 29, 2021 at 12:30 PM Petr Vorel <pvorel@suse.cz> wrote:
On 28.04.2021 23:11, Petr Vorel wrote:
Dne 28. 04. 21 v 19:20 Andrei Borzenkov napsal(a):
On 28.04.2021 18:27, Petr Tesařík wrote:
Dne 15. 04. 21 v 14:16 Petr Vorel napsal(a): >> On 14.04.2021 21:05, Petr Vorel wrote: >>>> On 2021/04/13 22:24, Oliver Neukum wrote: >>>>> I have worse cases for you. / can be on LVM. >>>>> The assumption that a block cannot move without FS action is just >>>>> not right. >>>> ---- >>>> Hey, many tell folks that boot should be a normal disk. >>>> Encrypted and raids...tend to be less well supported. >>> Yes, things like "full disk encryption" (LVM on LUKS on whole disk, >>> i.e. without separate /boot) is not supported by openSUSE installer :(. >> Really? Have you tried? > Hm, I cannot find the bug I filled in 2017, which ended as wontfix. > But right, things might have changed, I'll retest it. Even if this works, how would GRUB read its configuration file from an encrypted disk? Are you suggesting that GRUB asks for the password first? Yes.
And then the Linux OS asks for this password again before it can mount the root filesystem? It is possible to avoid it (arguably with lowered security) by storing keys in initrd.
How is this an improvement over a separate /boot partition?
You are welcome to implement protocol to pass secrets between bootloader and kernel. Some of *BSD flavors support it and it is also implemented in grub.
That's not my point. My point is that there is nothing secret stored under /boot. If it is a separate partition, it may be left unencrypted, avoiding the need to give a password to the boot loader. That's how my system boots today. If the kernel is moved to /usr (encrypted in my setup), I'll end up typing my disk password twice on each boot, and I perceive it as a regression.
Do we support /etc/crypttab [1]?
Is it a joke? Not sure what particularly you mean :). But yes, I see we use it in openSUSE as well for adding cryptdevice config.
Well, it's not all. And I forgot the other pieces [3]: hook for initramfs (to copy "password" file crypto_keyfile.bin) and grub config (adding cryptdevice to GRUB_CMDLINE_LINUX and GRUB_ENABLE_CRYPTODISK=yes)
That allows passing the password from grub to initrd.
That's not "passing secret from bootloader to kernel". That is "storing key in initrd" which I already mentioned.