Root filesystem encryption update
pjones at redhat.com
Tue Jun 19 15:11:11 UTC 2007
Tony Nelson wrote:
> At 4:50 PM -0500 6/18/07, Bruno Wolff III wrote:
>> On Mon, Jun 18, 2007 at 16:51:55 -0400,
>> Jeremy Katz <katzj at redhat.com> wrote:
>>> On Mon, 2007-06-18 at 14:07 -0500, Bruno Wolff III wrote:
>>>> Heck, for key maps there probably aren't so many that you can't try
>>>> multiple possibilities after getting the password.
>>> There are at least 30-40 that we allow in the installer alone at the
>>> console. find -type f /lib/kbd/keymaps/i386 | wc -l gives around 140.
>>> I don't think that trying either is really that practical.
>> 40 probably isn't too many to make trying them all impractical. I expect
>> that it will take less than a second to try each one even with measures
>> to slow down password guessing. That's not nice for suspend resume, but
>> wouldn't be a deal breaker for initial boots.
> Couldn't it just start with the one that worked last time?
Not really. We need to ask for the passphrase during thaw, in the
initrd. At that time, the filesystem containing /boot is in the mounted
state, so we can't mount it to write the data anywhere. There's also no
mechanism to pass data from the running kernel to the one we're
restoring into memory, which means we can't save the data during the
userland thaw sequence, either.
More information about the fedora-devel-list