Re: Bug 1742953 - No Screensaver/Powerdown after Inactivity at LUKS Password Prompt [FutureFeature]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/20/19 11:15 PM, John Harris wrote:
There is no significant fire risk from this. It's just not good for the
laptop. There's not exactly a temperature range that can cause damage, but
there is a nominal range for each individual chip, and a nominal range for the
entire system based on that.

You're right that fire is not the principal risk: instead, it's cooking the chemicals in the LCDs and batteries---not the chips, which typically have operating maximum temperature of 80C. The LCD operating temperature is typically up to 50C, and a typical absolute maximum  temperature is 60-70C (*). The batteries have similar limits. Solomon reported burning sensation, which typically means 60C or more.

I think we can all agree that shutting the system down is not the appropriate behavior, right?
I would prefer a suspend---hit a key or move a mouse and see the prompt again. Still, what's wrong with a quick reboot? The additional time from power up to disk decryption is typically short, unless we're talking servers with tons of secondary firmware. I think Fedora should optimize for laptops/desktops, so if we had to chose one default I would vote for sleep, or shutdown if sleep was not available.
Why would this behavior be in any way desirable on a desktop system? A TPM or
other hardware key storage does not solve the same problem as asking for a key
to be entered to decrypt.

but it's less secure---the decryption password hashes (**) have to be present on the media. Bitlocker in TPM mode has the secrets locked in the TPM, and as an added benefit uses the 'enterprise' authorization scheme, with revocation, recovery keys, single logon (no separate decryption and login credentials), etc. You wrote that bitlocker 'configured properly ... simply shows a prompt forever', but I think that the current best practice is to use TPM, in which case the system proceeds to the login prompt, and the full decryption is only done after user authentication. I think that's how FileVault in MacOS works, and perhaps Linux is also heading this way.


(*) https://www.pacificdisplay.com/cdm/CDM-40200.pdf

(**) Note that in a commercial context this includes the user password as well as any recovery passwords, which may be common across the enterprise so the risk is even more significant.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux