[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GRUB & crypto? (& generally, more info on undocumented modules?)

From: Diagon
Subject: Re: GRUB & crypto? (& generally, more info on undocumented modules?)
Date: Wed, 24 Dec 2014 16:47:59 -0800
User-agent: Zoho Mail

---- On Mon, 22 Dec 2014 14:17:36 -0800 Jordan Uggla  wrote ---- 

>As I understand it, 
>when the kernel pivots to the actual root filesystem and thus no 
>longer needs the initramfs that's loaded into RAM, it simply frees 
>that memory without first zeroing it. That means that a process, 
>running as any user, can just malloc ram and reads its uninitialized 
>contents in a loop until it comes upon something that looks like your 
>LUKS keyfile. Eventually, even if it takes multiple boots, it will 
>succeed. This is why it's so important that an official protocol be 
>developed between the kernel and bootloader, because then the kernel 
>knows to treat any memory containing credentials carefully and ensure 
>that it doesn't leak out to somewhere it shouldn't. 
>Jordan Uggla (Jordan_U on 

Fascinating, Jordan.  Thanks for the insight.

>From earlier in this thread:

>Grub can read files from LUKS and GELI volumes, but only FreeBSD's 
>kernel currently has a protocol for passing credentials from grub to 
>the kernel, so if you're using GNU/Linux and you use grub's LUKS 
>support to read your kernel from your LUKS encrypted root, you will 
>need to enter your password twice at boot: Once for grub, and again 
>for linux. 

Does this mean FreeBSD/GELI, handle this problem differently?  That they have 
an "official protocol" for the bootloader/kernel link, and manage credentials 
more carefully?  If so, I might be tempted to start a move that I had intended 
for some time in the future ...

(I am not too familiar with the BSD's yet, but I gather this is not the case 
when using grub with Net/OpenBSD?)


PS.  Also from earlier in this thread:

> The "hwmatch" command might be useful for you, but unfortunately it's 
> an Ubuntu specific addition that hasn't made its way upstream.

Could you give me the usage of this command?  All I could find under "usage" is:

Match PCI devices.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]