1 |
Hi, |
2 |
|
3 |
@Marko |
4 |
tl;dr: it's going a bit offtopic. |
5 |
Marko, try to hardcompile those modules into your kernel. |
6 |
This should be the simplest fix of your problem. |
7 |
|
8 |
On 04/18/2015 02:44 PM, Heiko Baums wrote: |
9 |
> Am 18.04.2015 um 14:12 schrieb Ralf: |
10 |
> |
11 |
>> No. Could you please explain why you think so? |
12 |
>> Even if your root partition is encrypted, your ramdisk could load the |
13 |
>> modules. |
14 |
> Are you sure about that? Are you sure that the necessary modules are |
15 |
> definitely put into the initrd and that the kernel will be able to load |
16 |
> them soon enough at boot time? |
17 |
I double checked it and now I am sure: |
18 |
|
19 |
For reasons of comfortability I inspected a standard Arch-Linux |
20 |
installation. |
21 |
It supports rootfs encryption and xts is loaded in the initrd as module. |
22 |
So it is possible to treat it as a module. |
23 |
|
24 |
Besides that: Why should your kernel config allow you to compile it as |
25 |
module if it isn't useable as module? |
26 |
> |
27 |
> Compiling those modules into the kernel is definitely more secure (in |
28 |
> terms of being sure that they are always available) and doesn't do any |
29 |
> harm, because they need to be loaded anyway. |
30 |
Yes for a homebrew kernel, i can second that. |
31 |
> |
32 |
> Btw., several dm-crypt/LUKS documentation (all that I've read) say that |
33 |
> those modules have to be compiled into the kernel directly. |
34 |
> |
35 |
>> After loading the modules you can see that they are available by cat |
36 |
>> /proc/crypto. |
37 |
> You won't be able to run this command when the kernel tries to unlock |
38 |
> the LUKS container at boot time. |
39 |
No, but it is accessible when creating your LUKS volume, and that's |
40 |
Marko problem at the moment. |
41 |
> |
42 |
>> The modules can be loaded _after_ bootup as well. |
43 |
> If you want to unlock the LUKS container at boot time (particularly if |
44 |
> your root partition is encrypted), loading the modules after bootup is |
45 |
> too late. |
46 |
Loading those modules during the early bootup phase in your initrd is |
47 |
actually not too late. |
48 |
|
49 |
Ah, and for completeness sake: |
50 |
Grub2 is able to speak LUKS. So your kernel and initrd maybe inside an |
51 |
encrypted volume. |
52 |
|
53 |
> |
54 |
> So I wouldn't risk it. |
55 |
Neither do I. |
56 |
|
57 |
Cheers |
58 |
Ralf |