From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1VFUGv-00038x-RS
	for mharc-grub-devel@gnu.org; Fri, 30 Aug 2013 15:22:17 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58364)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <development@efficientek.com>) id 1VFUGp-00032U-AH
	for grub-devel@gnu.org; Fri, 30 Aug 2013 15:22:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <development@efficientek.com>) id 1VFUGj-0005hK-Fk
	for grub-devel@gnu.org; Fri, 30 Aug 2013 15:22:11 -0400
Received: from mail-ob0-f171.google.com ([209.85.214.171]:58043)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <development@efficientek.com>) id 1VFUGj-0005gy-AW
	for grub-devel@gnu.org; Fri, 30 Aug 2013 15:22:05 -0400
Received: by mail-ob0-f171.google.com with SMTP id tb18so2294969obb.16
	for <grub-devel@gnu.org>; Fri, 30 Aug 2013 12:22:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to
	:references:mime-version:content-type:content-transfer-encoding;
	bh=5N3n76Cd2OYLd2CfeR/UVztBs/U0cjo9y+4UApIYN7I=;
	b=QGifRU0WHyZewC8UqdJjgJwo3SZgqJ7vCExCw5U3SJ36YZG4+Sfzd05qB/XCqhGwEw
	alF1/qLPlzJESJqfvLWRGseGewZxKu6zptHtdwOae1Qv5hO3BP3idHpRc2uUpp0/tO15
	kMN4t89bw8Du6fWIY63WIsNXHWUo4QEyk7byx+j8jpA/ciDiZ80Vzl8gp+cR3GhY4kKX
	BdAFyPJv00brgikfwEDavpfmvrBiFmUqU7e6g7cPmcuRsAsqSosRPvAU/RHqIwhuXoYt
	7DY+ubQDG8va/kS5JYdSXjVLYanJLFaxVkjRqTR33j5dpz0abUbGSdswcGWzoT9XBTn8
	iLZw==
X-Gm-Message-State: ALoCoQlWXQpTMaMDsJeHTrnvVEEkmjmg4KC7APtdNOpPu492VKulLIdIGuIZjVXUC+JYT6ltPUQC
X-Received: by 10.60.45.196 with SMTP id p4mr1478030oem.81.1377890523862;
	Fri, 30 Aug 2013 12:22:03 -0700 (PDT)
Received: from crass-Ideapad-Z570 (cpe-70-113-30-216.austin.res.rr.com.
	[70.113.30.216])
	by mx.google.com with ESMTPSA id s9sm35261192obu.4.1969.12.31.16.00.00
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Fri, 30 Aug 2013 12:22:03 -0700 (PDT)
Date: Fri, 30 Aug 2013 14:22:00 -0500
From: Glenn Washburn <development@efficientek.com>
To: grub-devel@gnu.org
Subject: Re: LUKS Encryption and Fingerprint readers?
Message-ID: <20130830142200.3cbeb0b0@crass-Ideapad-Z570>
In-Reply-To: <521FACFE.1050906@iam.tj>
References: <520D06F7.5030900@iam.tj>
	<20130829141327.25173ac9@crass-Ideapad-Z570>
	<521FACFE.1050906@iam.tj>
X-Mailer: Claws Mail 3.9.1 (GTK+ 2.24.17; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 209.85.214.171
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 19:22:17 -0000

On Thu, 29 Aug 2013 21:20:14 +0100
TJ <grub-devel@iam.tj> wrote:

> that'd be silly so I'm now moving to whole-disc encryption with the
> boot-loader, kernel, and initrd on a key-fob USB.
> 
> I'd still like GRUB to be able to read a key-file rather than a typed
> pass-phrase, and have the key-file hidden on a (second) small (1GB)
> randomised-data USB flash device (no file-system) so even the
> operator can't be sure where to find the bytes that unlock it.

Again.  If your initrd and kernel are unencrypted on the USB, then you
don't need keyfile support or any encryption support in grub.  Grub can
just load your linux environment and then you can have linux do all the
heavy lifting.

> If we can figure it out we'd like to be able to configure/unlock
> different LVM volumes based on which LUKS slot is used to unlock,
> too, and log the LUKS attempts from GRUB.

This really doesn't make sense.  LVM volumes aren't "unlocked", LUKS
volumes sure.  And restricting access based on what key was used
doesn't make much sense either.  LUKS key slots are for getting the
single master key.  So regardless of which key slot used, you get back
the master key that can decrypt the _whole_ luks container, yes all the
LVs.  So in this hypothetical system, for any key slot used root will
be able to access all the LVs.

Why exactly are you wanting to activate an LV based on LUKS keyslot?
Is it because you want to prevent other users from accessing the other
LVs?  or is it merely to provide a mechanism for booting different
OSes (with no security implications)?

And I see no reason why you're needlessly trying to use grub, unless
your initrd or kernel are encrypted on the USB.  Linux would be a much
more capable environment to work in.