Closed c0d3z3r0 closed 4 years ago
Unless I'm missing something, I can't think of any way Petitboot could do this, considering that we are kexec()'ing a second kernel that will need to mount it's (own?) root filesystem. @sammj or @jk-ozlabs any thoughts?
Only could happen if a secret was pushed on the command line (and initrd managed to use this, and its cleared somehow (that I don't know can be done)), or a alternate initrd is created by petitboot and booted which unlocks the luks store and then chainloads the second default distro initrd.
Yes, you're both right. After some experiments I finally found a solution, that can be used independent from petitboot
.
memmap=1M!4G
to both, the bootloader kernel cmdline and the os kernel cmdline/dev/pmem0
/dev/pmem0
if it exists, decode and try the password and wipe /dev/pmem0
; if that fails fall back to interactive password entryGood idea with pmem. NVRAM option of LoPAPR might be another option. Should be a minimum of 4k available.
Is there a simple way to pass a LUKS secret to the kexec'ed kernel when the kernel itself is on the encrypted partition? Normally one has to enter the secret twice, I guess - the first time for petitboot and the second time after kexec.