-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Dec 30, 2016 at 06:01:02AM -0700, Trammell Hudson wrote:
> On Thu, Dec 29, 2016 at 09:20:41PM +0000, Rusty Bird wrote:
> > Rusty Bird: [...]
> > > Has there been any progress in upstreaming the hypervisor patch, now
> > > that you have a rock solid use case?
>
> I haven't revistied that particular patch; they said they were interested
> in supporting "legacy free" systems, although my patch was really hackish.
> The right way to do it is to move early command line parsing to before
> the EBDA is examined.
>
> The Chromebook with a VBT works with fewer patches, so I also need to
> revisit what is different between it and the thinkpads.
:)
Also, thanks for great work and great talk!
Can you elaborate on Qubes modifications? Have you achieved read-only
rootfs with dm-verity? What workflow do you have for upgrades? Do
templates are part of read-only fs, or read-write?
> > > Trammell Hudson:
> > > [...]
> > > > I'd really like to figure
> > > > out how to pass the secret key from the Heads bootloader to Qubes'
> > > > initrd in a supported fashion.
> > >
> > > If I understand it right, [rd.]luks.key= isn't working as it should?
> > > I've played around with that a tiny bit and systemd-cryptsetup-generator
> > > was indeed behaving weirdly, some "out of memory" nonsense.
>
> I don't think that I get that error; it seems to just be ignored and
> Qube's initrd prompts for a disk password.
>
> > Which might be fixed by
> >
https://github.com/systemd/systemd/commit/c802a7306bdc3e82378a87acd9402bbabe9f6b28
>
> Hmm. Yeah, that would make a difference...
>
> The one drawback to the rd.luks.key approach is that only a single key
> can be passed in. For some use cases separate /, /boot and /home keys
> are worth having, which involve editing the /etc/crypttab file in
> the initrd before starting Xen.
As Rusty already mentioned, multiple keys should work. Alternatively you
can use dracut with host-only mode, which will include /etc/cryptab from
your host. Not sure if keyfile itself is included, but in theory should
be.
PS We've tried to catch you yesterday, but failed...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYZvNaAAoJENuP0xzK19csU8cH/jBmR/u3gIhA4xb7fjiL9c+C
9PAUCohu1V00s0QwDDxNM9Ku40mi77kuPfmFKvpgCQRiuxQWgqsrS0yS45QKMpP2
d9xMlek+ciQB9e84nzrPS4QDUKmjn4RHfnubqodpfu425b/iMah0EMq+dfrCUJvT
U50XsNmyN0VYaYCMjvUHyuuMDPZI4fhxN3SdA3J/Gx3DlFh3MpVw+tXKlQAU5x6M
ck4I1wH3cwBGrhVPoploxyvXgtJwfHqy4dgrXrC/BauW4eG6EhANSC1A6hG4DGtr
P8lARByfSFzyuL/njAYAZJa0/DoY/XLyDgfd4D3PP6hZMtcOR/Wqj8JlON30kao=
=iiss
-----END PGP SIGNATURE-----