I wish Jari would change the README to clarify the possibility of building and installing loop-aes without a kernel recompile by replacing an existing loop driver module. As I recall the possibility of not recompiling the kernel exists in the README only with regard to upgrading an existing loop-aes loop.o, and not with regard to replacing a non-loop-aes loop.o. As I understand it you still have to recompile the kernel if you want to encryot the root filesystem or if the loop driver has been compiled into the kernel. I think loop-aes would be much more widely adopted if this was better understood. I think a ,ot of users assume you have to replace the kernel based on the README just to encrypt a partition, and they think, "oh can't be bothered". Then they use dmcrypt or whatever. --- Max Vozeler <max@xxxxxxxxxxxx> wrote: > Hi markus, > > On Sat, Jun 09, 2007 at 04:32:18PM +0200, markus > reichelt wrote: > > * Max Vozeler <max@xxxxxxxxxxxx> wrote: > > > > > It seems to me like building kernels during > installation could > > > prove rather complex and might be error prone. > Fortunately, for > > > loop-AES this is not required. Most distribution > kernels include > > > the standard kernel loop driver as module so > that it can be > > > "overridden" by the loop-AES version without > recompile of the > > > kernel. > > > > Hmm, I thought the recompile was needed (strictly > following the > > readme). Are you sure? ;-) > > Yes, that's fine (to the best of my knowledge). > > The loop driver is very self-contained: In the > mainline kernel > there is no other user of loop.h or symbols exported > from the loop > driver apart from the cryptoloop driver. cryptoloop > might break if > used with loop-AES, but apart from that, I don't > think there is > any problem replacing the loop module with loop-AES. > > > In practice one must be careful to ensure the > correct module > being loaded, be it by overwriting/diverting the > original module or > by installing into /lib/modules/$KERNEL/updates for > 2.6 kernels. I > think that this is the reason Jari explicitly > mentions having to > have CONFIG_BLOCK_DEV_LOOP=n in the documentation. > Jari, please > correct me if that's wrong. > > The Debian loop-AES packages have been replacing the > module in > this way for quite some time now with no problems > that I know of. > I don't see why it wouldn't work or why it would be > unsafe. That > said, if there _are_ any problems I'm not > seeing/considering, I > would appreciate if someone could swing a clue bat > my way ;-) > > cheers, > Max > > - > Linux-crypto: cryptography in and on the Linux > system > Archive: > http://mail.nl.linux.org/linux-crypto/ > > ____________________________________________________________________________________ Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. http://new.toolbar.yahoo.com/toolbar/features/mail/index.php - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
