Re: Image decryption support in GRUB?

Wed, 02 Aug 2000 07:18:12 -0700 

>>>>> Daniel Pittman writes:

 DP> This does address my needs, at this stage, and is certainly
 DP> something that I can implement inside GRUB. I would propose a new
 DP> command as follows

BTW, thanks for asking about the interface before you begin
implementation.  That way, if your patches become part of GRUB, you
will have saved us some work.

 DP> Firstly, could this code be accepted into GRUB at all? I am more
 DP> than happy to sign over rights on the code to the FSF and intend
 DP> to use only free algorithms in the implementation.

Like glibc-crypt, it would probably have to be a separate package that
could be downloaded from outside the USA and applied at build time.
And, of course, it would likely have its own
`--enable-translator=blowfish,twofish...'  configure option.

Other than that, I see no reason to reject it... it's just like adding
support for a different compression type.

 DP> Secondly, specific advice on my proposed API would be nice: is it
 DP> the right way to do this, or would you suggest some other method
 DP> for doing this?

 grub> root (nd)
 grub> kernel /tftproot/kernel.image
 grub> decrypt 12345678 # decrypt <key> 
 grub> module /tftproot/module.image
 grub> decrypt 87654321 # Need not be the same key boot

In order to make your decryption support both clean and extensible, I
would advise a more Hurdish approach:

 grub> settrans -a / blowfish 12345678 # use one key
 grub> kernel /tftproot/kernel.image
 grub> settrans -a / blowfish 87654321 # use another
 grub> module /tftproot/module.image
 grub> settrans -a / # clear the translator

This would take some work to implement properly, but I don't think
there's any hurry to complete it.  All we need is a design to agree on
for inserting arbitrary filters into the loaded stream, and then just
implement the parts as needed (so, no, I'm not suggesting a
full-fledged translator implementation... just a lookalike).

But first, I want to find out if the other developers think this is a
good idea (or can suggest something better, especially for an
interface).  I tried to strike a balance between Hurd syntax, and the
fact that GRUB can only have one file open at a time.

-- 
 Gordon Matzigkeit <[EMAIL PROTECTED]>  //\ I'm a FIG (http://fig.org/)
Committed to freedom and diversity \// I use GNU (http://www.gnu.org/)

Reply via email to