On Mon, 12 Feb 2024 15:36:40 +0300 Alexey Kuznetsov <kuznetsov.ale...@gmail.com> wrote:
> Hello John! > > I see your commit 81b2f625f54cb670e36739e3a599daafd34bc44a, about > adding key-file support. This is great! I've been waiting for grub > official support for removable key-file support for a long time. > > I suppose grub key-file meant to keep key files on a separate drive > with fast removal feature (aka USB), not on the same drive? Basically > using USB as removable, cheap, TPM device. Right? Great! I can't speak for John, but my use case wasn't to keep it on a separate drive per se. > > If so. Then why does your allow users to remove a removable key? I don't understand this, can you rephrase the question? > Because your code, strictly requiring for key file to exist and be > available to read, and if grub fails to read the key then cryptomount > function will fail. Yes, this is expected. > As we know grub rescue shell is very limited, and dosn't even have a > 'if' statement. Initial script can only have few commands like 'search' > or 'cryptomount'. Here is no option for user to write a script which > can check if key file exists and readable before calling 'cryptomount' > func. Then if we want to support removable keys, then code should allow > to fail when reading keys. The rescue shell is not meant for what you're wanting to do with it. Use the normal shell and you'll get all those features. > > Here is my patch on top of your work, attached. > Thanks for your interest in improving GRUB. However, I don't think this should be included as there are existing ways to accomplish what you want to do. Glenn _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
