[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
grub keyfile read errors support
|
From: |
Alexey Kuznetsov |
|
Subject: |
grub keyfile read errors support |
|
Date: |
Mon, 12 Feb 2024 15:36:40 +0300 |
|
User-agent: |
Evolution 3.46.4-2 |
Hello John!
I see your commit 81b2f625f54cb670e36739e3a599daafd34bc44a, about
adding key-file support. This is great! I've been waiting for grub
official support for removable key-file support for a long time.
I suppose grub key-file meant to keep key files on a separate drive
with fast removal feature (aka USB), not on the same drive? Basically
using USB as removable, cheap, TPM device. Right? Great!
If so. Then why does your allow users to remove a removable key?
Because your code, strictly requiring for key file to exist and be
available to read, and if grub fails to read the key then cryptomount
function will fail.
As we know grub rescue shell is very limited, and dosn't even have a
'if' statement. Initial script can only have few commands like 'search'
or 'cryptomount'. Here is no option for user to write a script which
can check if key file exists and readable before calling 'cryptomount'
func. Then if we want to support removable keys, then code should allow
to fail when reading keys.
Here is my patch on top of your work, attached.
cryptoskip.patch
Description: Text Data
- grub keyfile read errors support,
Alexey Kuznetsov <=