[dm-crypt] ing rootfs without initramfs

Milan Broz gmazyland at gmail.com
Sun Jul 21 14:27:17 CEST 2013


On 07/21/2013 11:01 AM, Thomas Bächler wrote:
> Am 21.07.2013 10:47, schrieb Milan Broz:
>> I think using some initramfs is the only solution now for mapping
>> encrypted root fs (for now).
> 
> I would remove "for now" from your statement. Unlocking the volume from
> kernel code itself requires that the kernel learns how to ask for
> passphrases and/or find key files, do LUKS header processing and accept
> device-mapper parameters in some way.
> 
> This is very complicated to do in kernel code and adds tons of kernel
> code for tasks that do not belong into the kernel. Such patches will
> never be accepted upstream, since there is a more flexible and less
> error-prone mechanism to solve the problem (it's called "initramfs", if
> you didn't guess it already).

Never say never :)

Imagine you have system which stores keys in something like TPM and
you have "trusted" boot path. I can see that dm-crypt
itself receives key from such hw through kernel keyring directly and
we do not need much userspace interaction.
Basically it needs just some keyid on kernel command line (plus
more metadata info similar to patch I referenced).

That said I almost completely agree with your statement. And LUKS
parsing is completely userspace thing.

Milan


More information about the dm-crypt mailing list