Re: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Jookia <166291@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.
Date: Fri, 11 Mar 2016 08:11:49 +1100	[thread overview]
Message-ID: <20160310211149.GA17073@novena-choice-citizen.lan> (raw)
In-Reply-To: <87r3fitiu6.fsf@gnu.org>

On Thu, Mar 10, 2016 at 05:10:09PM +0100, Ludovic Courtès wrote:
> Jookia <166291@gmail.com> skribis:
> 
> > So I've come up with the following hack commit that effectively
> > stops any sort of dependency management and adds some new targets
> > for LVM and LUKS with a keyfile.
> >
> > Here's my current setup, take note that order of mapped devices
> > matter since there's no dependency management:
> >
> >   (mapped-devices (list (mapped-device
> >                           (source "/dev/sda")
> >                           (target "hdd")
> >                           (type (luks-device-keyfile-mapping
> >                                   (local-file "/root/keyfile"))))
> >                         (mapped-device
> >                           (source "/dev/mapper/hdd")
> >                           (target "matrix")
> >                           (type lvm-device-mapping))))
> >
> >   (file-systems (cons (file-system
> >                         (device "/dev/mapper/matrix-root")
> >                         (title 'device)
> >                         (mount-point "/")
> >                         (type "ext4"))
> >                       %base-file-systems))
> >
> >   (swap-devices '("/dev/mapper/matrix-swap"))
> 
> As you note, and as discussed on IRC, this is not OK because the private
> key ends up being stored world-readable in the store.  :-/

That's one thing to talk about- Store permissions and what to do about them. I
also have another situation where I want to run a container with an OpenVPN
service, but I'd have to pass credentials to them somehow. It's tricky to do
this on NixOS because I'd have to edit the container files which means I now
have state not only in /etc but in my containers too!

Setting permissions to just 'root' might be a bit bad if container's 'root' also
get to read it, or containers can read each other's 'root' values.

> Am I missing the part you wanted to discuss?

I'd really like to discuss how much I needed to break to get the mapped-devices,
file-systems and swap-devices to just 'work'. I even had to make a function to
return a mapped-device type, and have swap-devices not do dependency tests since
I technically don't use a device I've defined.

It'd be much much better if I could do something like this in my services:

  (devices (list (file-system
                   (uses '("/dev/matrix/root"))
                   (creates '("/"))
                   (device "/dev/matrix/root")
                   (mount-point "/")
                   (type "ext4"))
                 (swap-device
                   (uses '("/dev/mapper/matrix-swap"))
                   (creates '()))
                   (device "/dev/mapper/matrix-swap")
                 (lvm-device
                   (uses '("/dev/mapper/hdd" "/dev/sdb"))
                   (creates '("/dev/matrix/"
                              "/dev/mapper/matrix-swap"))
                   (devices '("/dev/mapper/hdd" "/dev/sdb")))
                 (luks-device
                   (uses '("UUID=4dab5feb-d176-45de-b287-9b0a6e4c01cb"))
                   (creates '("/dev/mapper/hdd"))
                   (device "UUID=4dab5feb-d176-45de-b287-9b0a6e4c01cb")
                   (name "hdd")
                   (key-file "..."))))

The issue is that it has a lot of duplicate information as I'm not sure
uses/creates could always map to device/mount-point, like LUKS names. But this
should satisfy most dependency issues automatically, I hope.

> Thanks,
> Ludo’.
> 
> PS: I still intend to look at the patch series you sent ;-), just
>     prioritizing things that relate to 0.9.1.

That's fine. :)
Jookia.

next prev parent reply	other threads:[~2016-03-10 21:14 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-10  0:36 [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch Jookia
2016-03-10  7:48 ` Taylan Ulrich Bayırlı/Kammer
2016-03-10 12:36   ` Jookia
2016-03-10 16:10 ` Ludovic Courtès
2016-03-10 21:11   ` Jookia [this message]
2016-03-11 14:30     ` Ludovic Courtès
2016-03-11 16:42       ` Jookia
2016-03-15 14:40         ` Ludovic Courtès
2016-03-16  1:23           ` Jookia
2016-03-14 21:40       ` Jean Louis
  -- strict thread matches above, loose matches on Subject: below --
2016-03-10  0:36 Jookia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160310211149.GA17073@novena-choice-citizen.lan \
    --to=166291@gmail.com \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).