Hi Chris, On Sat, 12 May 2018 at 19:10:43 +0100, Chris Lamb wrote: > It would be nice if the sleep-on-failure time was configurable, just > like tries=N, etc. > > Patch attached.
Thanks for the patch! (We discussed about this bug IRL but let me follow up here for the sake of transparency.) The sleep-on-failure behavior was added in 2:1.7.3-2 as mitigation for local brute-force attacks (CVE-2016-4484). See mejo's blogpost about it: https://blog.freesources.org/posts/2016/12/CVE-2016-4484/ Given that a major refactoring of the initramfs integration is ongoing, I didn't merge your patch. In fact we all seem to agree that the attack vector described in the CVE isn't really related to cryptsetup nor its initramfs integration (if one protects the BIOS and passes the ‘panic=<sec>’ parameter to the kernel command line, the boot script no longer yields a debug shell after a couple of failed attempts at unlocking the root device), and that our mitigation gives a marginal security gain. So we're likely to remove said mitigation as part of our refactoring. You intended to use the ‘failsleep=<sec>’ boot parameter to disable it, right? Of course, since it was our response to the CVE we shouldn't remove it silently. I guess a follow-up to mejo's blog post and/or an entry in the NEWS file are appropriate. Either way, we'll keep that bug open until we either merge your patch, or decide to remove the mitigation. Cheers, -- Guilhem.
signature.asc
Description: PGP signature