[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: grub keyfile read errors support
From: |
Glenn Washburn |
Subject: |
Re: grub keyfile read errors support |
Date: |
Mon, 26 Feb 2024 21:43:05 -0600 |
On Mon, 12 Feb 2024 15:36:40 +0300
Alexey Kuznetsov <kuznetsov.alexey@gmail.com> wrote:
> Hello John!
>
> I see your commit 81b2f625f54cb670e36739e3a599daafd34bc44a, about
> adding key-file support. This is great! I've been waiting for grub
> official support for removable key-file support for a long time.
>
> I suppose grub key-file meant to keep key files on a separate drive
> with fast removal feature (aka USB), not on the same drive? Basically
> using USB as removable, cheap, TPM device. Right? Great!
I can't speak for John, but my use case wasn't to keep it on a separate
drive per se.
>
> If so. Then why does your allow users to remove a removable key?
I don't understand this, can you rephrase the question?
> Because your code, strictly requiring for key file to exist and be
> available to read, and if grub fails to read the key then cryptomount
> function will fail.
Yes, this is expected.
> As we know grub rescue shell is very limited, and dosn't even have a
> 'if' statement. Initial script can only have few commands like 'search'
> or 'cryptomount'. Here is no option for user to write a script which
> can check if key file exists and readable before calling 'cryptomount'
> func. Then if we want to support removable keys, then code should allow
> to fail when reading keys.
The rescue shell is not meant for what you're wanting to do with it.
Use the normal shell and you'll get all those features.
>
> Here is my patch on top of your work, attached.
>
Thanks for your interest in improving GRUB. However, I don't think this
should be included as there are existing ways to accomplish what you
want to do.
Glenn