[systemd-devel] [PATCH] cryptsetup-generator: support rd.luks.key=keyfile:keyfile_device

Thu Apr 23 07:57:09 PDT 2015

On Thu, 23.04.15 06:41, Andrei Borzenkov (arvidjaar at gmail.com) wrote:

> В Thu, 23 Apr 2015 00:48:38 +0200
> Lennart Poettering <lennart at poettering.net> пишет:
> 
> > On Fri, 20.02.15 10:56, Jan Synacek (jsynacek at redhat.com) wrote:
> > 
> > Sorry for the late review.
> > 
> > What's the precise background of this? Can you elaborate? Is there
> > some feature request for this?
> 
> There are multiple bug reports that switching to dracut with integrated
> systemd breaks ability to auto-setup encrypted devices using keyfile
> on external USB stick.

Hmm, but from Jan's mail I got the impression that this is a Dracut
feature in the first place? Now I am confused?

Which initrd implementations supported this scheme before?

> > What does this actually do? Is the specified key file read from the
> > specified device?
> 
> It reads keyfile from filesystem on device identifed by keyfile_device.
> 
> >                  The order of keyfile:device sounds weird, no?
> > Shouldn't it be the other way round?
> > 
> 
> keyfile is mandatory, keyfile_device is optional and can be omitted. I
> believe dracut looked at all existing devices then. This order makes
> it easier to omit optional parameter(s).

Well, whether it is [device:]file or file[:device] is hardly any
difference for the parser...

> > Is this specific to Dracut so far? Is this widely used, and something
> > that we really want.
> 
> I can say about dracut only but yes, it is used and it is serious
> regression when it is used comparing with pre-systemd version.

Can you point me to documentation about the previous features in this
regard? Which initrd implementations are you referring to?

> > > First version of the patch that allows rd.luks.key to be specified
> > > almost the same way as dracut can read it.
> > > 
> > > The solution creates a temporary mount unit "mnt.mount" that the
> > > generated cryptsetup service wants.  The partition where the keyfile
> > > is then mounted to /mnt and the absolute path to the keyfile is
> > > changed so it points to this temporary mount instead.
> > 
> > Well, I'd place this in /run somewhere. Maybe
> > /run/systemd/cryptsetup/mount or so...
> > 
> > > I'm not sure if temporarily mounting something to /mnt in initrd is
> > > safe. If not, what would be a preffered way to do this?
> > 
> > What does temporarily mean? When is this unmounted?
> 
> To fetch keyfile dracut needs to mount USB stick. This mount is not
> normally needed after cryptomount setup is completed.

Well, sure, I am just wondering what precisely shall be used as
trigger to unmount it again.

Lennart

-- 
Lennart Poettering, Red Hat