On 11/15/2016 07:32 AM, Sven Eschenberg wrote:
Obviously it is not a bug in cryptsetup, but rather in dracut and some distributions initrd scripts. What's really annoying about the CVE is the fact, that it is mostly irrelevant. If I can get to the password entry of an initrd, I obviously have control over the boot process. If I do have control over the boot process I have a splendid variety of options to do all the things described in the CVE. I wonder why the authors of the CVE recommend to freeze the system, instead of adding auth to get a shell. Seems quite stupid to completely remove the ability to investigate problems.
The boot process can be configured to deny that control (BIOS configured to boot from the internal drive only, GRUB set up to require a password for all except the default selection).
On a Red Hat system with an encrypted root filesystem, I get 5 attempts to enter the encryption password. Then the system locks up, and the only options are to (a) press <ESC> to dismiss the graphical boot screen and see a "wrong password" message, and/or (b) press CTRL-ALT-DEL to reboot.
-- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt