LUKS / dm-crypt

[c0d3z3r0]

Is there a simple way to pass a LUKS secret to the kexec'ed kernel when the kernel itself is on the encrypted partition? Normally one has to enter the secret twice, I guess - the first time for petitboot and the second time after kexec.

[klauskiwi]

Unless I'm missing something, I can't think of any way Petitboot could do this, considering that we are kexec()'ing a second kernel that will need to mount it's (own?) root filesystem. @sammj or @jk-ozlabs any thoughts?

[grooverdan]

Only could happen if a secret was pushed on the command line (and initrd managed to use this, and its cleared somehow (that I don't know can be done)), or a alternate initrd is created by petitboot and booted which unlocks the luks store and then chainloads the second default distro initrd.

[c0d3z3r0]

Yes, you're both right. After some experiments I finally found a solution, that can be used independent from petitboot.

1. add memmap=1M!4G to both, the bootloader kernel cmdline and the os kernel cmdline
2. Adapt the bootloader kernel keyscript (I'm using the keyctl script) to write the secret base64-encoded to /dev/pmem0
3. Adapt the os kernel keyscript to first try to read /dev/pmem0 if it exists, decode and try the password and wipe /dev/pmem0; if that fails fall back to interactive password entry

[grooverdan]

Good idea with pmem. NVRAM option of LoPAPR might be another option. Should be a minimum of 4k available.