Hi, yesterday I realised, that GRUB is already supporting LUKS and even simple DSA signature checking.
I was thinking about the following setup: - fully encrypted harddisk (LUKS) (incl. rootfs). - no bootloader on harddisk - kernel + initrd inside encrypted partition - optionally: signatures of the kernel + initrd For "trusted" booting, I thought about an USB stick, that just includes GRUB, a public key for verification and a keyfile for LUKS. Using that setup, no password input would be required during boot. The USB stick can be considered as "trusted environment". Unfortunately, GRUB doesn't support keyfile for Luks up to now. As I'm quite familiar with dm-crypt and LUKS I tried to implement the keyfile feature to GRUB. After spending several hours trying to get a deeper insight into the GRUB internas I finally resigned, as I was missing documentation on several things... I was very confused about the way how GRUB2 is handling its modules and about the strategies how functions are exactly called. The aim is to implement three additional options to cryptodisk.c resp. luks.c: -k keyfile [e.g. (hd2,msdos3)/mysecretkey] -o keyfile offset [optional, default: 0] -s keyfile size [optional, default: keyfilesize] Using LUKS, a keyfile can simply be treated like a passphrase, which basically is already implemented. I would appreciate, if perhaps someone of you could help me with this issue. Thanks in advance! Ralf -- Ralf Ramsauer PGP: 0x8F10049B _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
