From: Steffen Nurpmeso <firstname.lastname@example.org>
To: "Michael Kjörling" <email@example.com>
Subject: [TUHS] Re: Unix install & "standalone" package
Date: Sat, 09 Sep 2023 01:38:54 +0200 [thread overview]
Message-ID: <20230908233854.Xni_jfirstname.lastname@example.org> (raw)
Michael Kjörling wrote in
|On 5 Sep 2023 17:53 +0200, from email@example.com (Steffen Nurpmeso):
|> Unfortunately cryptsetup is needed even though, i think, the
|> kernel has anything needed; you just cannot access it. cryptsetup
|> is only needed for "$cs open $PART_ROOT p_root --key-file -".
|> Of course i am no real Linux expert but only a do-it-yourself guy.
|If your need is restricted to a highly specific use case and you are
|trying to keep it as small as possible, then it should be possible to
|write a custom wrapper around whatever libcryptsetup functionality you
|need and avoid the extra code that you get with cryptsetup proper.
It is nicely documented, and my Linux distribution ships the
static library anyhow. But i am a lazy sort regarding such,
i just take the thing of my distribution and copy it over (they do
build it statically also by default).
You know, things change, and if you do not follow closely, you
stand in the rain. I am not a paid Linux engineer that follows
this rapidly moving target in the end.
For example the (no longer) new random developer chose to disable
feeding entropy via /dev/urandom, here (distribution) still is
# Load random seed
/bin/cat /var/lib/urandom/seed > /dev/urandom
for almost two decades (it is a rather young one), but the code
path was mutilated (i read the kernel source once he had rewritten
that to be blake2/some 32-byte block thing based), now one needs
to use some ioctl interface fwiw.
Or once here cryptsetup was updated to use OpenSSL 3.0 suddenly
ripemd160 was no longer available on EFI (aka purely static,
without the filesystem avaialable), even though its release notes
explicitly mentioned the problem as solved, and OpenSSL 3's
libcrypto.a _had_ ripemd160... I had to switch to sha512 .. then
to sha256 once cryptsetup started warning args had to be explicit
in the future. Mind you, i in fact use it twice, also for
encrypted swap, i only wrongly searched for $cs
$2 open --type plain --cipher aes --key-size 256 \
--hash sha256 $PART_SWAP p_swap --key-file - &&
i said on IRC
cryptsetup does EVP_DigestInit_ex(h->md, h->hash_id, NULL),
i presume that does load additional things.
That surely is it, i did not track it further.
So no, to answer you, i have no highly specific use case at all.
This is only an encrypted volume with my own boot-style that
requires no boot loader but Linux itself.
Maybe i should really look deeply in how cryptsetup then attaches
a LUKS2 volume to the kernel, maybe it actually _would_ be
possible to do this simply in some other way.
But truly writing a program? I feel much saver in the horde, with
so many people, specialists even, working on Linux, LUKS2,
cryptsetup, OpenSSL, .. these are all moving targets.
(I mean, i am lucky if i _can_ do a bit of programming on at least
the MUA i maintain; so much to do! And roff hopefully somewhere
on the horizon, somewhen; today it was zero minutes.)
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
next prev parent reply other threads:[~2023-09-08 23:39 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-04 14:44 [TUHS] " Norman Wilson
2023-09-04 14:55 ` [TUHS] " Vincenzo Nicosia
2023-09-04 17:20 ` Warner Losh
2023-09-04 19:05 ` Clem Cole
2023-09-05 17:03 ` Paul Winalski
2023-09-05 18:02 ` Clem Cole
2023-09-04 19:59 ` Theodore Ts'o
2023-09-04 23:51 ` Warner Losh
2023-09-04 17:18 ` Warner Losh
2023-09-04 22:10 ` Steffen Nurpmeso
2023-09-05 15:53 ` Steffen Nurpmeso
2023-09-06 17:50 ` Warner Losh
2023-09-07 0:11 ` Steffen Nurpmeso
2023-09-07 16:05 ` Warner Losh
2023-09-08 14:58 ` Theodore Ts'o
2023-09-08 13:56 ` Michael Kjörling
2023-09-08 23:38 ` Steffen Nurpmeso [this message]
2023-09-09 22:43 ` Steffen Nurpmeso
2023-09-11 4:10 ` Theodore Ts'o
2023-09-11 22:05 ` Steffen Nurpmeso
2023-09-05 1:07 ` Jonathan Gray
-- strict thread matches above, loose matches on Subject: below --
2023-09-04 9:57 [TUHS] " Paul Ruizendaal via TUHS
2023-09-04 14:53 ` [TUHS] " emanuel stiebler
2023-09-04 17:07 ` Warner Losh
2023-09-04 18:21 ` Dan Cross
2023-09-05 11:15 ` Paul Ruizendaal via TUHS
2023-09-05 14:15 ` Clem Cole
2023-09-05 17:03 ` Warner Losh
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).