[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: partman-auto-crypto

On Sat, Aug 19, 2006 at 11:20:03PM +0200, Frans Pop wrote:
Hi David,

Glad to see you back from holidays.

One general note: we really do have to be careful with this. As we are now working towards RC releases of d-i, we cannot afford to implement really risky changes.


The initial feedback from beta 3 shows there is still some work to do on partman-crypto itself, so I'm fairly happy we made the decision to not offer p-a-c yet. There are also some important open issues for LVM itself. I'd rather spend energy on perfecting the base functionality than on adding p-a-c if we have to choose what to do before Etch.

I agre that it was good to have partman-crypto alone in beta3, it generated much more feedback and it seems that most issues have been resolved.

As far as I know, the major outstanding issue is that of keyboard input. Currently it seems that d-i does not allow UTF8 input which means that passphrases with non-ascii characters won't work after reboot into the newly installed system.

So it would really be nice to have a fix for #365308 which has been open since April and affects other parts of d-i as well (such as username input).

Oh, and we need a more thorough check for unencrypted swap.

Are you aware of any other major partman-crypto issues not in the BTS?

As for lvm, I don't see any new bugs against partman-lvm, what issues are you referring to?

I'd also very much hate it if we would find we had important regressions in partman for RC1 because of rushing implementation of p-a-c and partman-auto RAID support.

There is always post-Etch to implement major new features...

Another alternative is to not change the partman-auto main menu at all. The menu might get crowded but that is mostly an issue with > 2 disks which is not a very common scenario. This would allow p-a-c to be added without any changes (the issue of overcrowding is orthogonal to p-a-c IMHO, p-a-c just makes the problem more immediate).

This was my original plan before you brought up the issue of crowding the menu :)

On Saturday 19 August 2006 20:56, David Härdeman wrote:
1) Swap on LVM in partman-auto-lvm
I sent an RFC on this more than a month ago. Not much discussion
resulted, I got a few positive comments and no negative comments. Is
this ok to commit?

Yes, I would say it is OK to enable that ASAP, at least on a trial basis.

Ok, will commit today

2) Concerns over an overcrowded partman-auto menu
FJP suggested in the RFC thread on partman-auto-crypto that the
partman-auto main menu might need to change to accomodate the large
number of options. The following example was given:
However, I think that we should split it into two screens:

I have been thinking about this a bit too and I agree this is probably better.

Note that there is one more option that needs to be accommodated:
 Use largest available free space (or something like that)
That option is only shown if there is free space on a disk and is currently only supported for standard partitioning. There can in theory be multiple disks that have free space you could choose from. Maybe it would be good to explicitly show the free space blocks and their sizes on the next dialog instead of blindly selecting the largest.

If you select "Erase disk and create new partitions" you'd then get:

Please select the disk to erase:
SCSI1 (0.0.0) (sda) - 2.1 GB VMware, ...
SCSI2 (0.0.1) (sdb) - 2.1 GB VMware, ...
SCSI2 (0.0.1) (sdc) - 2.1 GB VMware, ...

This screen could probably either be skipped or, better, replaced by a message warning which disk will be used if only one disk is detected. Have to work out how that would work with preseeding though.

I think we could in fact have three levels of screens with the last one being along the lines of "Warning: the content of disk(s) X, Y and Z is going to be erased. This means that the data will be permanently lost..etc..etc..etc..etc. Do you want to continue?".

So for scenarios where there is only one disk, we skip screen two and go directly to screen three.

The third screen can then be preseeded to "accept" or you can leave it as is which will give a final warning to the user even if preseeding is used for the method and disk to use (this will of course be up to the preseeding recipe used).

Where you can select a single disk, whereas the "Erase disk(s); use LVM
for new partitions" would show:

Please select the disk(s) to erase and use with LVM:

[*] SCSI1 (0.0.0) (sda) - 2.1 GB VMware, ...
[ ] SCSI2 (0.0.1) (sdb) - 2.1 GB VMware, ...
[ ] SCSI2 (0.0.1) (sdc) - 2.1 GB VMware, ...

This allows multiple disks to be used for LVM or RAID and should
simplify the preseeding to use two values: method and disks to use.

What RAID level(s) are you assuming/wanting to support here?

I'm not involved in the RAID part of partman, but I'd assume that levels 0, 1 and 5 would be offered.

I guess you have seen the commit by Simon Huggins to support RAID1? It would be great if that could be integrated with this.

Yes, I've noticed it but not gone through it in detail. If I understood things correctly, it adds preseeding support but no UI for manual setup? It should be easy to do so though, and I could probably help Simon with it if necessary.

Not something that is very important to me though, as long as some
progress can be made on adding partman-auto-crypto :)

Without yet having looked at the code...
For p-a-c, what I have been wondering about is which partitions should be encrypted by default for the different schemes. From comments in earlier threads I understand that having e.g. /usr encrypted isn't all that useful.

Right now, all partition but /boot are encrypted. What happends is that /boot is created and then one large partition. That large partition is dm-crypt mapped an the dm-crypt device is used as a LVM PV. All other partitions are LV's in that LVM PV. This allows for one password during boot to setup all encrypted partitions.

So there are two benefits as I can see it to having /usr encrypted:

Allows /usr to be managed with the LVM tools as well

Avoids any accidental disclosure of information, e.g. there is /usr/local which may contain something of interest. Or the user may not want it to be known even which programs he has installed.

The disadvantage is of course performance.

I think we should err on the side of caution and encrypt everything by default.

So what partitions does p-a-c set up encrypted currently? I could imagine something like ("<c>" indicates encryption):
"atomic": / <c>, /boot, swap <c>
"home":   /, /boot, /home <c>, swap <c> (so, / not encrypted)
"multi":  /, /boot, /tmp <c>, /usr, /var <c>, /home <c>, swap <c>
         (maybe / should be encrypted too in this case)

I would definately encrypt / as well. /etc usually contains a lot of good information for an attacker (e.g. /etc/shadow).

This could be set in the recipes fairly easily by using a "$encrypt { }" flag or something for partitions to be encrypted.

Yes, wouldn't be hard to add

Something like this would possibly be needed anyway for arches that have special bootloader partitions (see for example the "palo" partition in recipes-hppa). Or do you already have a different method for dealing with those?

Right now all partitions which are marked as $lvmok { } are encrypted. I assume that "palo" partitions and other special partitions aren't marked as $lvmok?

Take care when uploading. I'm not sure the committed auto-RAID stuff is ready yet.

I wont upload anything before I have an ok from you


Reply to: