From: Ralf <ralf+gentoo@ramses-pyramidenbau.de>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] cryptsetup wont use aes-xts:plain64
Date: Sat, 18 Apr 2015 15:45:56 +0200 [thread overview]
Message-ID: <55326014.8020901@ramses-pyramidenbau.de> (raw)
In-Reply-To: <553251A7.10205@baums-on-web.de>
Hi,
@Marko
tl;dr: it's going a bit offtopic.
Marko, try to hardcompile those modules into your kernel.
This should be the simplest fix of your problem.
On 04/18/2015 02:44 PM, Heiko Baums wrote:
> Am 18.04.2015 um 14:12 schrieb Ralf:
>
>> No. Could you please explain why you think so?
>> Even if your root partition is encrypted, your ramdisk could load the
>> modules.
> Are you sure about that? Are you sure that the necessary modules are
> definitely put into the initrd and that the kernel will be able to load
> them soon enough at boot time?
I double checked it and now I am sure:
For reasons of comfortability I inspected a standard Arch-Linux
installation.
It supports rootfs encryption and xts is loaded in the initrd as module.
So it is possible to treat it as a module.
Besides that: Why should your kernel config allow you to compile it as
module if it isn't useable as module?
>
> Compiling those modules into the kernel is definitely more secure (in
> terms of being sure that they are always available) and doesn't do any
> harm, because they need to be loaded anyway.
Yes for a homebrew kernel, i can second that.
>
> Btw., several dm-crypt/LUKS documentation (all that I've read) say that
> those modules have to be compiled into the kernel directly.
>
>> After loading the modules you can see that they are available by cat
>> /proc/crypto.
> You won't be able to run this command when the kernel tries to unlock
> the LUKS container at boot time.
No, but it is accessible when creating your LUKS volume, and that's
Marko problem at the moment.
>
>> The modules can be loaded _after_ bootup as well.
> If you want to unlock the LUKS container at boot time (particularly if
> your root partition is encrypted), loading the modules after bootup is
> too late.
Loading those modules during the early bootup phase in your initrd is
actually not too late.
Ah, and for completeness sake:
Grub2 is able to speak LUKS. So your kernel and initrd maybe inside an
encrypted volume.
>
> So I wouldn't risk it.
Neither do I.
Cheers
Ralf
next prev parent reply other threads:[~2015-04-18 13:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-18 10:27 [gentoo-user] cryptsetup wont use aes-xts:plain64 Marko Weber | 8000
2015-04-18 11:48 ` Ralf
2015-04-18 12:07 ` Heiko Baums
2015-04-18 12:12 ` Ralf
2015-04-18 12:44 ` Heiko Baums
2015-04-18 13:45 ` Ralf [this message]
2015-04-18 12:33 ` Heiko Baums
2015-04-18 15:41 ` Heiko Baums
2015-04-20 13:40 ` Marko Weber | 8000
2015-04-19 1:35 ` Fernando Rodriguez
2015-04-19 1:47 ` Fernando Rodriguez
2015-04-20 13:43 ` Marko Weber | 8000
2015-04-20 17:43 ` Heiko Baums
2015-04-20 13:59 ` Marko Weber | 8000
2015-04-20 16:19 ` bitlord
-- strict thread matches above, loose matches on Subject: below --
2015-04-21 9:21 Marko Weber | 8000
2015-04-21 10:54 ` Heiko Baums
2015-04-22 4:09 ` R0b0t1
2015-04-22 7:46 ` Ralf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55326014.8020901@ramses-pyramidenbau.de \
--to=ralf+gentoo@ramses-pyramidenbau.de \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox