From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: LUKS-encrypted root and unencrypted /boot ? Date: Sat, 04 Aug 2018 22:26:45 -0700 Message-ID: <87wot5crje.fsf@gmail.com> References: <87in4tgbg4.fsf@jnanam.net> <87effh8d94.fsf@lassieur.org> <87a7q3fkji.fsf@jnanam.net> <878t5n8eob.fsf@lassieur.org> <87effef8u3.fsf@jnanam.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45915) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fmBZ7-0003iJ-Es for help-guix@gnu.org; Sun, 05 Aug 2018 01:26:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fmBZ6-0000Gv-IY for help-guix@gnu.org; Sun, 05 Aug 2018 01:26:53 -0400 Received: from mail-pl0-x235.google.com ([2607:f8b0:400e:c01::235]:35932) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fmBZ6-0000Gb-B1 for help-guix@gnu.org; Sun, 05 Aug 2018 01:26:52 -0400 Received: by mail-pl0-x235.google.com with SMTP id e11-v6so4270365plb.3 for ; Sat, 04 Aug 2018 22:26:52 -0700 (PDT) In-Reply-To: <87effef8u3.fsf@jnanam.net> (Benjamin Slade's message of "Sat, 04 Aug 2018 09:30:12 -0600") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Benjamin Slade Cc: help-guix@gnu.org, =?utf-8?Q?Cl=C3=A9ment?= Lassieur --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Benjamin Slade writes: > I mused briefly about mirroring of the relevant things (kernels, initrd) > from /gnu/store to /boot, but that's probably pretty hack-y. The parts of GuixSD which require maintaining state outside of the store tend to be a little complicated (in my opinion) because they don't fit neatly into the "functional software deployment model" bubble that the rest of Guix lives in. We currently do this for the GRUB config: we copy it out of the store into the /boot directory, instead of symlinking it. I believe this was done in order to support the use case of putting /gnu/store and /boot on different partitions. Technically, I think we could do the same sort of thing for Linux kernel images and initrds, but what's the goal? If the goal is just to make it so GRUB doesn't have to open the LUKS volume in order to boot, then your solution already meets the goal. However, since your solution puts all of /gnu/store in an unencrypted partition, you should keep in mind that anything you put in the store will also be unencrypted. Therefore, if you add anything from your home directory to the store (e.g., by using local-file [see: (guix) G-Expressions]), it may be exposed in the store. That said, since the store is generally readable by everybody on the system (and remotely, if you are using "guix publish"), one probably shouldn't be putting sensitive information in the store to begin with. Hope that helps! =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAltmipUACgkQ3UCaFdgi Rp3xbA/+K6lSvPaf2sjaTRW6ao16WYAOTPES0NgnWnArPGpRwEuS77lyQGuI1fus xJRL8O6OeRWa5f5BpamCQy7iz/nJSfE8Lr/w59DsGGe0yAmknloqWTBdxyrQO36o hjgw8Tafn3XUKmk3vPeg8pCfZrnAtUa8/8EpVQC9mMES7UPq5IYGF3cU3TIxjNWP VE3vVLoYm3+9iAAwdEpmaFOugbKZOgohiPcAvgX5742ORbHgnCnpC9XjH+xQ2nQx IgABSUr3nFHJPHuKzu+IK4EJOaN5LgSI7e4Id9DXy6wmKuyKFcIYKjTsROvVk8Nu Fv5WGV1Y9fZ+1BQMUc2c6pzSfVvMba5EKwhaIaB/IoLeHZYDQUN68A/D6+NtoSBm Gz0CRogD3OnJQGc6NjG60dGeDRfkuijVJiPKIBFWQzdQ4G0Vf8UjnOsukdWMngZX YE1p7gk+Nc9wFDyAqqa9JtuJ/PG09f6kraGlPPAdUuaZmHIbJtMTU/LehTGL19ZG aJt0+3PZBSVBBa67UQXCYXXEVtZqJkSNxfLGDbA5sUnsxEGx/0oWcPGWzyLN4jpz N9geDj54VE1pTuHE26ocIN3IygHta2SVPvdstUcHWIPhWukzx1guk6RWD28pmJc/ 8x/bfs3Kr80pB7KbU8wfrjKSJshixLHDTKjOV15mgXeeqJQlxMU= =fG1P -----END PGP SIGNATURE----- --=-=-=--