Root filesystem encryption update

Peter Jones pjones at redhat.com
Tue Jun 19 15:11:11 UTC 2007


Tony Nelson wrote:
> At 4:50 PM -0500 6/18/07, Bruno Wolff III wrote:
>> On Mon, Jun 18, 2007 at 16:51:55 -0400,
>>  Jeremy Katz <katzj at redhat.com> wrote:
>>> On Mon, 2007-06-18 at 14:07 -0500, Bruno Wolff III wrote:
>  ...
>>>> Heck, for key maps there probably aren't so many that you can't try
>>>> multiple possibilities after getting the password.
>>> There are at least 30-40 that we allow in the installer alone at the
>>> console.  find -type f /lib/kbd/keymaps/i386 | wc -l gives around 140.
>>> I don't think that trying either is really that practical.
>> 40 probably isn't too many to make trying them all impractical. I expect
>> that it will take less than a second to try each one even with measures
>> to slow down password guessing. That's not nice for suspend resume, but
>> wouldn't be a deal breaker for initial boots.
>  ...
> 
> Couldn't it just start with the one that worked last time?

Not really.  We need to ask for the passphrase during thaw, in the 
initrd.  At that time, the filesystem containing /boot is in the mounted 
state, so we can't mount it to write the data anywhere.  There's also no 
mechanism to pass data from the running kernel to the one we're 
restoring into memory, which means we can't save the data during the 
userland thaw sequence, either.

-- 
   Peter




More information about the fedora-devel-list mailing list