| 1 |
Hi, |
| 2 |
|
| 3 |
@Marko |
| 4 |
tl;dr: it's going a bit offtopic. |
| 5 |
Marko, try to hardcompile those modules into your kernel. |
| 6 |
This should be the simplest fix of your problem. |
| 7 |
|
| 8 |
On 04/18/2015 02:44 PM, Heiko Baums wrote: |
| 9 |
> Am 18.04.2015 um 14:12 schrieb Ralf: |
| 10 |
> |
| 11 |
>> No. Could you please explain why you think so? |
| 12 |
>> Even if your root partition is encrypted, your ramdisk could load the |
| 13 |
>> modules. |
| 14 |
> Are you sure about that? Are you sure that the necessary modules are |
| 15 |
> definitely put into the initrd and that the kernel will be able to load |
| 16 |
> them soon enough at boot time? |
| 17 |
I double checked it and now I am sure: |
| 18 |
|
| 19 |
For reasons of comfortability I inspected a standard Arch-Linux |
| 20 |
installation. |
| 21 |
It supports rootfs encryption and xts is loaded in the initrd as module. |
| 22 |
So it is possible to treat it as a module. |
| 23 |
|
| 24 |
Besides that: Why should your kernel config allow you to compile it as |
| 25 |
module if it isn't useable as module? |
| 26 |
> |
| 27 |
> Compiling those modules into the kernel is definitely more secure (in |
| 28 |
> terms of being sure that they are always available) and doesn't do any |
| 29 |
> harm, because they need to be loaded anyway. |
| 30 |
Yes for a homebrew kernel, i can second that. |
| 31 |
> |
| 32 |
> Btw., several dm-crypt/LUKS documentation (all that I've read) say that |
| 33 |
> those modules have to be compiled into the kernel directly. |
| 34 |
> |
| 35 |
>> After loading the modules you can see that they are available by cat |
| 36 |
>> /proc/crypto. |
| 37 |
> You won't be able to run this command when the kernel tries to unlock |
| 38 |
> the LUKS container at boot time. |
| 39 |
No, but it is accessible when creating your LUKS volume, and that's |
| 40 |
Marko problem at the moment. |
| 41 |
> |
| 42 |
>> The modules can be loaded _after_ bootup as well. |
| 43 |
> If you want to unlock the LUKS container at boot time (particularly if |
| 44 |
> your root partition is encrypted), loading the modules after bootup is |
| 45 |
> too late. |
| 46 |
Loading those modules during the early bootup phase in your initrd is |
| 47 |
actually not too late. |
| 48 |
|
| 49 |
Ah, and for completeness sake: |
| 50 |
Grub2 is able to speak LUKS. So your kernel and initrd maybe inside an |
| 51 |
encrypted volume. |
| 52 |
|
| 53 |
> |
| 54 |
> So I wouldn't risk it. |
| 55 |
Neither do I. |
| 56 |
|
| 57 |
Cheers |
| 58 |
Ralf |
Archives