Root filesystem encryption update

Thomas Swan thomas.swan at gmail.com
Tue Jun 19 15:48:44 UTC 2007 

On 6/19/07, Peter Jones <pjones at redhat.com> wrote:
>
> Tony Nelson wrote:
> > At 4:50 PM -0500 6/18/07, Bruno Wolff III wrote:
> >> On Mon, Jun 18, 2007 at 16:51:55 -0400,
> >>  Jeremy Katz <katzj at redhat.com> wrote:
> >>> On Mon, 2007-06-18 at 14:07 -0500, Bruno Wolff III wrote:
> >  ...
> >>>> Heck, for key maps there probably aren't so many that you can't try
> >>>> multiple possibilities after getting the password.
> >>> There are at least 30-40 that we allow in the installer alone at the
> >>> console.  find -type f /lib/kbd/keymaps/i386 | wc -l gives around 140.
> >>> I don't think that trying either is really that practical.
> >> 40 probably isn't too many to make trying them all impractical. I
> expect
> >> that it will take less than a second to try each one even with measures
> >> to slow down password guessing. That's not nice for suspend resume, but
> >> wouldn't be a deal breaker for initial boots.
> >  ...
> >
> > Couldn't it just start with the one that worked last time?
>
> Not really.  We need to ask for the passphrase during thaw, in the
> initrd.  At that time, the filesystem containing /boot is in the mounted
> state, so we can't mount it to write the data anywhere.  There's also no
> mechanism to pass data from the running kernel to the one we're
> restoring into memory, which means we can't save the data during the
> userland thaw sequence, either.


I think we might be putting the cart before the horse.   A user would be
thawing from hibernation on a machine with an *existing* installation.
Therefore language, and keymaps would have been chosen (during installation)
prior to the hibernate operation.

Could it be possible to store the keyboard map in the initrd.    During the
install we select all of these.  So, adding an option to
/etc/sysconfig/mkinitrd for KEYMAP and/or LANGUAGE and saving/loading it in
the initrd (by regeneration) after installation should be pretty
straightforward.   We could switch to the encryption options after
keyboard/language has been selected/loaded.

Is this even plausible?


-- 
The early bird may get the worm, but the it's the second mouse that gets the
cheese.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070619/36d4e98f/attachment.htm>

More information about the fedora-devel-list mailing list