Some encryption-related projects
W. Michael Petullo
mike at flyn.org
Thu Dec 9 03:46:34 UTC 2004
>> 2. Encrypted root filesystem.
>>
>> Red Hat Bug #182479 discusses adding support for an encrypted root
> It's #124789.
>> filesystem to Fedora. The bug contains a patch for mkinird that
>> facilitates this. Eventually it would be nice to see support in anaconda
>> for this, but #182479 is the first step.
> One thing you miss in the latest patch is support for an encrypted
> root device on top of an LVM volume.
> With your patch the code does the following starting at about line 730 in
> mkinitrd:
> if [ "$kernelmajor" == "2.4" ]; then
> # kernel 2.4.x LVM stufff
> elif [ -n "$root_enc" ]; then
> # crypto-root stuff
> else
> # kernel 2.6.x LVM stuff
> fi
> What you really want is to have the crypto root stuff occurring outside
> the if statement in question. Also inside the "if [ -n "$root_enc"
> ]; then" block you want to have "if [ -z $root_lvm ]; then" around the
> "mkdmnod" bit so that mkdmnod doesn't get called twice.
I'm sorry, but I don't have any experience with LVM volumes. What I
do know is that right now if root_enc=1 then root_lvm=1 but root_lvm=1
does NOT mean root_enc=1. The tests go like this (line 852):
if [ is LVM (actually is device mapper) ]; then
root_lvm=1
if [ is encrypted ]; then
root_enc=1
fi
fi
So, how can I support both of these cases:
LVM volume, unencrypted
LVM volume encrypted
?
I need a way to test if a root filesystem is really an LVM volume and
not possibly just a DM/encrypted volume. In other words, how can I
ask "is this device mapper volume truly a LVM volume?" Root_enc and
root_lvm need to be decoupled.
> Also in recent kernels the AES module is aes-i586 (maybe we should have an
> alias in the module-init-tools config).
In my recent kernels, aes is not aes-i586 because my kernel is built
for PowerPC. So I imagine an alias from aes to aes-i586 would make
i586 more consistent with other architectures.
--
Mike
:wq
More information about the fedora-devel-list
mailing list