---- On Mon, 22 Dec 2014 14:17:36 -0800 Jordan Uggla wrote ---- [...] >As I understand it, >when the kernel pivots to the actual root filesystem and thus no >longer needs the initramfs that's loaded into RAM, it simply frees >that memory without first zeroing it. That means that a process, >running as any user, can just malloc ram and reads its uninitialized >contents in a loop until it comes upon something that looks like your >LUKS keyfile. Eventually, even if it takes multiple boots, it will >succeed. This is why it's so important that an official protocol be >developed between the kernel and bootloader, because then the kernel >knows to treat any memory containing credentials carefully and ensure >that it doesn't leak out to somewhere it shouldn't. >-- >Jordan Uggla (Jordan_U on irc.freenode.net)
Fascinating, Jordan. Thanks for the insight. >From earlier in this thread: >Grub can read files from LUKS and GELI volumes, but only FreeBSD's >kernel currently has a protocol for passing credentials from grub to >the kernel, so if you're using GNU/Linux and you use grub's LUKS >support to read your kernel from your LUKS encrypted root, you will >need to enter your password twice at boot: Once for grub, and again >for linux. Does this mean FreeBSD/GELI, handle this problem differently? That they have an "official protocol" for the bootloader/kernel link, and manage credentials more carefully? If so, I might be tempted to start a move that I had intended for some time in the future ... (I am not too familiar with the BSD's yet, but I gather this is not the case when using grub with Net/OpenBSD?) /D. PS. Also from earlier in this thread: > The "hwmatch" command might be useful for you, but unfortunately it's > an Ubuntu specific addition that hasn't made its way upstream. Could you give me the usage of this command? All I could find under "usage" is: hwmatch MATCHES-FILE CLASS Match PCI devices. _______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
