[trimmed Ccs]
On Wed, 10 Oct 2012, Milan Broz wrote:
I see no major problem with relicensing (but need to check properly).
If it helps to use it more broadly, it would be nice (with available
source code for everyone).
Yeah, if you're planning on looking into relicensing, I'd encourage you to
make as much of cryptsetup as you can GPLv2+ instead of GPLv2, so that the
code is more reusable in other projects, even if it ends up not being
relevant for my specific use case.
What is not clear here (not related to problems above) is where
you want to store root hash and how grub2 will securely obtain it...
I've raised this on the GRUB list:
http://thread.gmane.org/gmane.comp.boot-loaders.grub.devel/19404
Basically my plan is to add another GRUB command to verify a signed file
and load configuration or variables from it (or parse it with the Lua
grub-extra, which we're already using), and then build a top-level
grub.efi with our certificate embedded. So our build server would do
something like `veritysetup format image.iso image.iso.verity | sed ... |
gpg --clearsign > image.iso.root-hash` after creating the ISO, and ship
all three files when doing an update.
Which reminds me to thank you for the "veritysetup support for files"
patch -- in some testing by hand, it works pretty well.
--
Geoffrey Thomas
gthomas@xxxxxxxxxxxx
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
