stage-1: Add interactive LUKS decrypting #234
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samueldr
added
3. topic: stage-1
samueldr
force-pushed
the
feature/stage-1-passphrase
branch
from
09019e6
to
5f56ba5
Compare
This will be useful for some tests.
This, with the upcoming luks task allows encrypted drives to work!
samueldr
force-pushed
the
feature/stage-1-passphrase
branch
from
5f56ba5
to
2128889
Compare
They will, at some point, be promoted into LVGUI. For the time being they are local as they have only been verified to work in a useful manner for this limited use case.
The following commit will plug it into the messages queue.
For now, extremely assumed to be passphrase input.
These changes implement the different protocol changes.
This way we really only update the current state bit we want to affect.
With the same tooling we will be able to ask for a throbber or some other kind of work indicator.
samueldr
force-pushed
the
feature/stage-1-passphrase
branch
from
2128889
to
a1813ef
Compare
|
In addition to the VM, tested on-device with a Pinephone. Sadly, no instructions to setup, this was all done manually in a bad way; more work is expected later for installing. The quick notes is: prepare a custom initrd with cryptsetup and full utillinux, partition the eMMC as you would like, flash a system with a custom configuration. You might also want to use JumpDrive instead of a custom initrd, but my pinephone has issues with USB. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This builds upon #233, soon-to-be merged.
This adds the required facilities for asking for the passphrase during the boot progress tracking
In addition to a test system made specifically to test that the unlocking works.
Note that there is no automatic way to get encryption going on your device yet. This is for something further along. For the time being, you will have to manually configure your stage-1 to know about the cryptsetup setup for your device. In addition, you will have to handle
cryptsetup reencryptyourself on your device. (Check the testing system, there may be clues, e.g. using 32MB for resize.)I will, at some point, add documentation about manually encrypting a device, but that will happen once I have done it and tested it. Though the steps are quite obvious: (1) somehow get
cryptsetup reencryptgoing on your rootfs (2) update stage-1 with a build that knows about the encryption.The plan is to, instead, make a specialized "installer"
boot.img(stage-1 only system) that would know about that, but this is strictly for the future.