tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

Thor Lancelot Simon wrote:
I've been looking into if it's possible to hard code the cgd parameters in a kernel configuration, and tell the kernel to mount root on a cgd-device. The goal is to be able to have the cgd parameters physically separated from the rest of the system (apart from the parameters in ram). Unfortunately, work has been keeping me too busy to put any real effort into it. I might just as well ask here; would it be possible to boot a kernel, which is hardcoded to use cgd0 as a root, off a USB memory key? Obviously the kernel will need to configure the cgd0 device prior to mounting root, which may be a source of difficulties.

Yes.  I hadn't considered the possibility of compiling the cgd parameters
into the kernel.  In that case, it's very easy.

You have to provide a way to compile the cgd parameters into the kernel,
and write a mountroothook which sets up the cgd.  Then it ought to just

Excellent. I have a rough idea about where I need to dig around to get this done. Unless it is to become a GSoC project, I'll allocate some time for this and start working on it more seriously.

The cgd parameters could probably even be passed by the boot loader
as kernel arguments.  Then this could even work with a generic kernel,
and be set up at install time.

The cgd parameters contains a salt value. Is it possible to store such arguments in a file separated from the kernel? It doesn't seem feasible for the user to enter these values manually each boot.

Kind regards,
Jan Danielsson

Attachment: signature.asc
Description: OpenPGP digital signature

Home | Main Index | Thread Index | Old Index