Some encryption-related projects

[W. Michael Petullo]

>> 2.  Encrypted root filesystem.
>>
>> Red Hat Bug #182479 discusses adding support for an encrypted root
 
> It's #124789.
 
>> filesystem to Fedora.  The bug contains a patch for mkinird that
>> facilitates this.  Eventually it would be nice to see support in anaconda
>> for this, but #182479 is the first step.
 
> One thing you miss in the latest patch is support for an encrypted
> root device on top of an LVM volume.
 
> With your patch the code does the following starting at about line 730 in 
> mkinitrd:
 
> if [ "$kernelmajor" == "2.4" ]; then
> # kernel 2.4.x LVM stufff
> elif [ -n "$root_enc" ]; then
> # crypto-root stuff
> else
> # kernel 2.6.x LVM stuff
> fi
 
> What you really want is to have the crypto root stuff occurring outside
> the if statement in question.  Also inside the "if [ -n "$root_enc"
> ]; then" block you want to have "if [ -z $root_lvm ]; then" around the
> "mkdmnod" bit so that mkdmnod doesn't get called twice.

I'm sorry, but I don't have any experience with LVM volumes.  What I
do know is that right now if root_enc=1 then root_lvm=1 but root_lvm=1
does NOT mean root_enc=1.  The tests go like this (line 852):

if [ is LVM (actually is device mapper) ]; then
  root_lvm=1
  if [ is encrypted ]; then
    root_enc=1
  fi
fi

So, how can I support both of these cases:

LVM volume, unencrypted
LVM volume encrypted

?

I need a way to test if a root filesystem is really an LVM volume and
not possibly just a DM/encrypted volume.  In other words, how can I
ask "is this device mapper volume truly a LVM volume?"  Root_enc and
root_lvm need to be decoupled.

> Also in recent kernels the AES module is aes-i586 (maybe we should have an 
> alias in the module-init-tools config).

In my recent kernels, aes is not aes-i586 because my kernel is built
for PowerPC.  So I imagine an alias from aes to aes-i586 would make
i586 more consistent with other architectures.

-- 
Mike

:wq