On 07/21/2013 11:01 AM, Thomas Bächler wrote: > Am 21.07.2013 10:47, schrieb Milan Broz: >> I think using some initramfs is the only solution now for mapping >> encrypted root fs (for now). > > I would remove "for now" from your statement. Unlocking the volume from > kernel code itself requires that the kernel learns how to ask for > passphrases and/or find key files, do LUKS header processing and accept > device-mapper parameters in some way. > > This is very complicated to do in kernel code and adds tons of kernel > code for tasks that do not belong into the kernel. Such patches will > never be accepted upstream, since there is a more flexible and less > error-prone mechanism to solve the problem (it's called "initramfs", if > you didn't guess it already). Never say never :) Imagine you have system which stores keys in something like TPM and you have "trusted" boot path. I can see that dm-crypt itself receives key from such hw through kernel keyring directly and we do not need much userspace interaction. Basically it needs just some keyid on kernel command line (plus more metadata info similar to patch I referenced). That said I almost completely agree with your statement. And LUKS parsing is completely userspace thing. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
