-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Dec 30, 2016 at 06:01:02AM -0700, Trammell Hudson wrote: > On Thu, Dec 29, 2016 at 09:20:41PM +0000, Rusty Bird wrote: > > Rusty Bird: [...] > > > Has there been any progress in upstreaming the hypervisor patch, now > > > that you have a rock solid use case? > > I haven't revistied that particular patch; they said they were interested > in supporting "legacy free" systems, although my patch was really hackish. > The right way to do it is to move early command line parsing to before > the EBDA is examined. > > The Chromebook with a VBT works with fewer patches, so I also need to > revisit what is different between it and the thinkpads.
:) Also, thanks for great work and great talk! Can you elaborate on Qubes modifications? Have you achieved read-only rootfs with dm-verity? What workflow do you have for upgrades? Do templates are part of read-only fs, or read-write? > > > Trammell Hudson: > > > [...] > > > > I'd really like to figure > > > > out how to pass the secret key from the Heads bootloader to Qubes' > > > > initrd in a supported fashion. > > > > > > If I understand it right, [rd.]luks.key= isn't working as it should? > > > I've played around with that a tiny bit and systemd-cryptsetup-generator > > > was indeed behaving weirdly, some "out of memory" nonsense. > > I don't think that I get that error; it seems to just be ignored and > Qube's initrd prompts for a disk password. > > > Which might be fixed by > > https://github.com/systemd/systemd/commit/c802a7306bdc3e82378a87acd9402bbabe9f6b28 > > Hmm. Yeah, that would make a difference... > > The one drawback to the rd.luks.key approach is that only a single key > can be passed in. For some use cases separate /, /boot and /home keys > are worth having, which involve editing the /etc/crypttab file in > the initrd before starting Xen. As Rusty already mentioned, multiple keys should work. Alternatively you can use dracut with host-only mode, which will include /etc/cryptab from your host. Not sure if keyfile itself is included, but in theory should be. PS We've tried to catch you yesterday, but failed... - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYZvNaAAoJENuP0xzK19csU8cH/jBmR/u3gIhA4xb7fjiL9c+C 9PAUCohu1V00s0QwDDxNM9Ku40mi77kuPfmFKvpgCQRiuxQWgqsrS0yS45QKMpP2 d9xMlek+ciQB9e84nzrPS4QDUKmjn4RHfnubqodpfu425b/iMah0EMq+dfrCUJvT U50XsNmyN0VYaYCMjvUHyuuMDPZI4fhxN3SdA3J/Gx3DlFh3MpVw+tXKlQAU5x6M ck4I1wH3cwBGrhVPoploxyvXgtJwfHqy4dgrXrC/BauW4eG6EhANSC1A6hG4DGtr P8lARByfSFzyuL/njAYAZJa0/DoY/XLyDgfd4D3PP6hZMtcOR/Wqj8JlON30kao= =iiss -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161230235259.GB1341%40mail-itl. For more options, visit https://groups.google.com/d/optout.
