* Re: [9front] Booting with encrypted partitions
@ 2019-11-12 21:54 cinap_lenrek
2019-11-12 23:51 ` petter9
0 siblings, 1 reply; 6+ messages in thread
From: cinap_lenrek @ 2019-11-12 21:54 UTC (permalink / raw)
To: 9front
notice that this mechanism has nothing specitic to
disk/cryptsetup and is just a hook to get arbitrary
code run.
which is *FINE*. just in the wrong place for something
like cryptsetup and has the wrong name.
you see the main function in bootrc can get run multiple
times. which is not what you'd want i think.
... also what Ori said, the empty test is wrong.
but otherwise i'm not against such a hook, which could
be usefull for other things as well.
probably do it right after the configlocal line in boorc.
(and dont forget the </dev/cons redirection to make
prompts work).
any suggestions for a good name? $start? $setup?
$autoexec? $DEVICEHIGH?
the name probably depends on what OTHER hooks we'r going
to add in some strategic places. any suggestions?
--
cinap
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] Booting with encrypted partitions
2019-11-12 21:54 [9front] Booting with encrypted partitions cinap_lenrek
@ 2019-11-12 23:51 ` petter9
0 siblings, 0 replies; 6+ messages in thread
From: petter9 @ 2019-11-12 23:51 UTC (permalink / raw)
To: 9front
Glad to see some interest! Just to be clear. My goal here was primarily
just to hack together something that scratches my itch, today.
Thanks for pointing out the flaw with the empty test. I actually had it
there before, but it got lost retyping it after reinstalling. (Yes, my
process sucks.)
Ori: I did consider briefly to make it work automatically for different
setups.
Some quick thoughts that put me off:
* What if new crypto programs are introduced. Which one to use.
* What if someone has multiple plan9 installations on the same disk
and/or several disks.
* Different filesystems may need different partitions decrypted.
Maintain a list? Update with new filesystems.
* Different filesystems and multiple installations.
* Should one decrypt before or after partition is selected.
Felt a bit like a pandora's box to me. (Could very well be i'm making
problems that aren't actually here obviously. I don't know.)
Having the user specify the decryption command themselves is the
simplest and cleanest solution i could think of, random unverified
concerns considered. Not saying having it in plan9.ini like that is the
right way to do it. (But hey, step 1: get something that works;))
Cinap: Regarding having this in the main loop. The scenario i had in
mind there was the user aborting the password input (DEL) to type in
some other partition in bootargs (multi-boot/usb). And if that fails,
just start all over again.
I'd be happy to help and experiment the next few days before i set this
computer to work. I'll try moving it around.
initcmd?
--
Petter
--
For the record.
diff -r 8f9f3ee2eacf sys/src/9/boot/bootrc
--- a/sys/src/9/boot/bootrc Mon Nov 11 13:35:47 2019 -0800
+++ b/sys/src/9/boot/bootrc Tue Nov 12 13:10:09 2019 +0100
@@ -65,6 +65,11 @@
mt=()
fn main{
+ if(! ~ $#decryptfs 0) {
+ echo $decryptfs
+ eval $decryptfs
+ }
+
mp=()
while(~ $#mp 0){
if(~ $#nobootprompt 0){
---plan9.ini---
decryptfs=disk/cryptsetup -i /dev/sdE0/fsworm /dev/sdE0/fscache
/dev/sdE0/other
nobootprompt=local!/dev/fs/fscache
mouseport=ps2
monitor=x200
vgasize=1280x800x32
user=p
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] Booting with encrypted partitions
2019-11-13 5:07 ori
2019-11-13 11:45 ` hiro
@ 2019-11-20 12:58 ` petter9
1 sibling, 0 replies; 6+ messages in thread
From: petter9 @ 2019-11-20 12:58 UTC (permalink / raw)
To: 9front
I like having the hook before the loop now too, as cinap suggested. In
the scenario of a user having a partition decryption command in this
hook and aborting the password prompt; they can now try their different
boot options without having an annoying password prompt appearing all
the time. (The prompt is just a reboot away should they want it again.)
diff -r 8f9f3ee2eacf sys/src/9/boot/bootrc
--- a/sys/src/9/boot/bootrc Mon Nov 11 13:35:47 2019 -0800
+++ b/sys/src/9/boot/bootrc Wed Nov 20 11:55:12 2019 +0100
@@ -186,6 +186,12 @@
# add partitions and binds
configlocal
+# execute hook 'startcmd' from plan9.ini
+if(! ~ $#startcmd 0) {
+ echo $startcmd
+ eval $startcmd
+}
+
while(){
@{main}
I went with 'startcmd', which is still open for debate..
I can help with updating the fqa if something like this patch is committed.
Come to think of; there's also the possibility of having a bootrc.local
(mimicking termrc and cpurc). I actually think that seems like a better
path going forward, but i haven't made any attempts at that.
--
Petter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] Booting with encrypted partitions
2019-11-13 5:07 ori
@ 2019-11-13 11:45 ` hiro
2019-11-20 12:58 ` petter9
1 sibling, 0 replies; 6+ messages in thread
From: hiro @ 2019-11-13 11:45 UTC (permalink / raw)
To: 9front
if more ideas are needed:
perhaps refer to the next thing it precedes: "pre-bootprompt" ?
doesn't seem to be convention here, but i like that on other OS's the
order of execution is sometimes visible e.g. by having a number
prefixed, or in the style of pre-something/post-something scripts or
interface-up/interface-down....
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] Booting with encrypted partitions
@ 2019-11-13 5:07 ori
2019-11-13 11:45 ` hiro
2019-11-20 12:58 ` petter9
0 siblings, 2 replies; 6+ messages in thread
From: ori @ 2019-11-13 5:07 UTC (permalink / raw)
To: cinap_lenrek, 9front
> any suggestions for a good name? $start? $setup?
> $autoexec? $DEVICEHIGH?
startcmd is the best I can think of.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] Booting with encrypted partitions
@ 2019-11-12 20:57 ori
0 siblings, 0 replies; 6+ messages in thread
From: ori @ 2019-11-12 20:57 UTC (permalink / raw)
To: petter9, 9front
> Hi,
>
> Got a bit tired of dropping to the shell and punching in the disk
> decryption command on every boot. This one:
> > disk/cryptsetup -i /dev/sdE0/fsworm /dev/sdE0/fscache /dev/sdE0/other
> Also, one typo and the entire command must be retyped :/
If you attach patches inline, it's easier to review, and they'll still
be viewable years from now.
> So i made a change to the boot process to do that for me. Don't know if
> something like this exist but it was anyway educational for me doing
> this (noob) and i just thought i would share in case anyone is interested.
>
> The change to the boot script,
> http://okturing.com/src/7221/body
> diff -r 8f9f3ee2eacf sys/src/9/boot/bootrc
> --- a/sys/src/9/boot/bootrc Mon Nov 11 13:35:47 2019 -0800
> +++ b/sys/src/9/boot/bootrc Tue Nov 12 13:10:09 2019 +0100
> @@ -65,6 +65,11 @@
> mt=()
>
> fn main{
> + if(! ~ $decryptfs 0) {
This line isn't quite right -- you're checking if the content of '$decryptfs'
is 0, rather than whether the list has 0 elements. You need the '#' operator:
if(! ~ $#decryptfs 0)
Other than that, it like it will work to me.
I'll let someone else more familiar with the boot process (cinap,
probably?) comment if there's a cleaner solution that doesn't add a
new knob. Ideally, I think we'd want:
nobootprompt=crypt!local!/dev/sdE0/fscache
but I don't see a great way to get the args for disk/cryptsetup
out of that spec.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-11-20 12:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-12 21:54 [9front] Booting with encrypted partitions cinap_lenrek
2019-11-12 23:51 ` petter9
-- strict thread matches above, loose matches on Subject: below --
2019-11-13 5:07 ori
2019-11-13 11:45 ` hiro
2019-11-20 12:58 ` petter9
2019-11-12 20:57 ori
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).