All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jason Kushmaul <jasonkushmaul@gmail.com>
To: grub-devel@gnu.org
Subject: Re: cryptodisk enabled returns to rescue prompt
Date: Sat, 29 Jun 2019 21:44:31 -0400	[thread overview]
Message-ID: <CAOvZ_Vhqk3R_iKHSS0_cRShyirUUpZRwWRYe7qzoR6SLBmsLwQ@mail.gmail.com> (raw)
In-Reply-To: <CAOvZ_VgbHwtLvwJ2EuHAcYabzLZyeMe_wLqhe25F1JcX91qmxw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3548 bytes --]

I'm sending this in a new thread using `git format-patch`

On Tue, Jun 25, 2019 at 12:48 AM Jason Kushmaul <jasonkushmaul@gmail.com>
wrote:

> Hello,
>
> I'm new to the list.  I've been working on this myself for personal
> reasons.  I think this should be viewed as an accessibility issue, not as a
> convenience.  Those that have motor impairments have a very difficult time
> booting their machines without a reboot, or rescue.
>
> Please see my patch attached which adds documentation, configuration, and
> implementation.  The patch is against master
> (4e7b5bb3be69633ed860cb74b0ef2c84a839523d) but I can change that if you
> like.
> I tested this in a virtualbox.
>
> If a more formal request is needed, I prepared this before finding this
> existing post:
>
> **************************************
> FEATURE
> **************************************
> Add LUKS full disk encryption passphrase retry config and logic, providing
> accessibility to people with motor impairments, Parkinson's, etc.
>
> **************************************
> JUSTIFICATION
> **************************************
> As of master (4e7b5bb3be69633ed860cb74b0ef2c84a839523d), I've found no
> other tickets mentioning this.
>
> When cryptodisk attempts to recover the key, it asks for the passphrase,
> just once.  You are required to reboot, or know how to recover grub
> yourself manually.
>
> Many people enjoy the confidence of encrypting their full disk, including
> /boot. However, for those who may be plagued with motor impairment, shaking
> of hands, twitches in the fingers as they type, one would have severe
> barriers to enjoying that same level of security due to bneing required to
> type a passphrase once, and getting it right without having to reboot again.
>
> I know there is a concern for security.  This configuration would default
> to 1 attempt as it is today, and those who chose, may choose any amount
> they like up to 256.  Defaulting to 1 will maintain exactly the same
> behavior for users upgrading.
>
> **************************************
> STEPS TO REPRODUCE
> **************************************
> Steps:
> * Setup
> * Observation
>
> Setup:
> * Encrypt the full disk using luks so that the /boot is contained in luks
> disk.
> * Use a passphrase 32 characters long with an equal distribution of
> [0-9a-zA-Z] and specials.
> * Boot and wait for passphrase prompt.
>
> Observation:
> Enter the incorrect password and hit enter.  You are not asked to retry,
> or allowed to configure it before install  of grub on the full disk crypto
> setup.  You must then type the full blown steps to ask again, or simply
> CTL-ALT-DEL and wait 45 more seconds...
>
> With the patches, one can configure with a "-t" and a number of retry
> attempts.  They will see the same prompt, see a notification about key
> recovery in progress, and if incorrect, another message stating such, but
> then be prompted again on failure.
>
> **************************************
> SUMMARY
> **************************************
> Those with motor impairments have a barrier preventing them from enjoying
>  LUKS full disk encryption with strong passphrases.  Causing them a need to
> reboot until correct.
>
> This is easy to reproduce, but a little more difficult to realize how
> people with impaired motor function would struggle.
>
> The changes in this patch offer a configurable way to increase the number
> of attempts from 1, to any number <= 256, but maintains the default
> behavior as all users expect, which is just 1 attempt.
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 4060 bytes --]

  reply	other threads:[~2019-06-30  1:44 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-25  4:48 cryptodisk enabled returns to rescue prompt Jason Kushmaul
2019-06-30  1:44 ` Jason Kushmaul [this message]
     [not found] <563D7A68.1030409@videotron.ca>
2015-11-07  7:28 ` Andrei Borzenkov
2015-11-07  8:58   ` westlake
2015-11-07  9:04     ` Andrei Borzenkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAOvZ_Vhqk3R_iKHSS0_cRShyirUUpZRwWRYe7qzoR6SLBmsLwQ@mail.gmail.com \
    --to=jasonkushmaul@gmail.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.