[arch-projects] [PATCH initscripts 0/4] allow random seed to be loaded before cryptsetup
Matthew Monaco
dgbaley27 at 0x01b.net
Tue Mar 13 21:53:16 EDT 2012
On 03/13/2012 07:46 PM, Tom Gundersen wrote:
> Hi Matthew,
>
> On Wed, Mar 14, 2012 at 1:27 AM, Matthew Monaco <dgbaley27 at 0x01b.net> wrote:
>> The ultimate goal here is FS#17131. I couldn't quite tell the best
>> approach in some places from looking at the existing code because
>> there's a little bit of everything.
>
> Thanks for the patches. I'll just make some high-level remarks and
> I'll look at the details later:
>
> Patch 1, 2 and 4 look good in principle.
>
> However, patch 3 (implementing the FS) has an issue (which is the
> reason this has not been implemented yet). That is, it will not work
> as expected if /var is encrypted.
>
This is why prior to cryptsetup is just an attempt. If that isn't possible, then
it's still performed in the same spot as before.
> In my opinion the proper solution for this is to split the crypttab
> handling into two parts: one that does not use /dev/urandom and one
> that does (which should be done after the random seed has been
> initialized. I know that Dave has been looking into refactoring the
> crypttab stuff, and hopefully that should make it much easier to make
> this happen.
>
Yes, it'd be nice to run cryptsetup on as much as possible early, and then use
volums with a major/minor 1/{8,9} later.
>> I wanted to keep the status text in rc.sysinit. Is this worthwhile?
>
> I think that is a good idea wherever possible.
>
> -t
More information about the arch-projects
mailing list