[Pkg-cryptsetup-devel] Implementing a robust check-system

gebi at sbox.tugraz.at gebi at sbox.tugraz.at
Sat Feb 4 17:39:52 UTC 2006 

Quoting Jonas Meurer <jonas at freesources.org>:

something i've forgotten:
it should be 1000% clear, that none of our checks cause any  
modifications to the underlying device.

>> - don't check for all filesystems and hope not to find one!
>
> what do you mean with that?
>
>> for swap:
>> - disable luks for swap usage in cryptdisks.
>> - if partitions is of type swap wipe it (if user sets / to type swap
>> it's his fault not ours!).
>
> or in other words in your checksystem_doc:

ok sorry, i'll switch to german here (sorry others):
Was ich damit gemeint habe war folgendes:
Es ist sehr schwer auf eine Menge mit unbekannt vielen Teilen zu prüfen  
und zu hoffen, dass man keines davon findet. Wenn man keines davon  
findet denkt man es ist alles in Ordnung.
Die checks werden also niemals sehr effektiv sein, weil es zu viele  
Möglichkeiten gibt und wir nicht checken müssen ob eine spezielle  
vorkommt, sondern wir alle checken müssen und wenn wir mit unseren  
checks keine gefunden haben hoffen müssen ob wir nicht doch ein paar  
dateisysteme in den checks übersehen haben.

Deswegen die anmerkung mit dem softwaretesten. Wenn man eine software  
testet und fehler findet, heißt es nicht dass sie fehlerfrei ist. Wenn  
man sich das jetzt auf unseren Fall umgelegt vorstellt, dann hoffen  
wir auf die Tatsache, dass die Software nach unseren Checks fehlerfrei  
ist.

Wir können niemals alle möglichen checks für Dateisysteme und  
kombinationen implementieren, aber die sicherheit beruht darauf, dass  
wir alle kombinationen kennen und damit ausschließen können dass auf der  
partition ein dateisystem ist.

Ist es jetzt ein bisschen klarer wieso ich mich um diese Checks so  
drücken wollte?

> the check for partition type swap is not sufficient. it is possible to
> use lvm volumes or whatever as swap partition, and these don't have any
> partition type. you understand?
> i think that it's a good idea to check for the partition type, and go
> ahead if it is swap. but if it is not swap (because not a physical
> partition at all) we cannot simply fail.

Imho we can...
If lvm/evms is not started the device does not exist and we should be fine.

But you are quite right, we could introduce a precheck option in  
crypttab to check against the most used filesystems under linux...
But it should be clearly outlined, that the power of this check is  
somewhat limited and does _NOT_ prevent dataloss under all  
circumstances.

> that's where i would check for an existing filesystem, just like for
> plain cryptsetup precheck.

please see above for the explanation in german.

> i think that we cannot avoid a precheck. at least we should provide one
> (for non-physical swap partitions, and for plain cryptsetup). we don't
> need to activate it per default, but still we should provide it.

I don't like the idea of checking against all known filesystems out  
there and rely on the fact that we found no filesystem _known to US_.  
Given the fact that there are so many fs out there, this check won't  
be reliably.
Thus give the user a false sense of security against faults produced by him.

> - swap devices which are not a physical partition need to be supported.
>   thus, the check for partition type cannot be the only one for swap.

Swap devices wich are not on physical partitions are well supported  
with this schema, because the lvm/evms device the user gave us simply  
does not exist if lvm/evms is not allredy started.

> - prechecks for all filesystems need to be possible, for logical swap
>   devices and for non-common plain cryptsetup devices.

We could provide it for swap devices as option. but it's not that much  
usefull on plain cryptsetup devices.
1. because we cause NO dataloss even if it's the false partition.
2. we could verify the partition after cryptsetup open with  
postcheck... and thus also check if the user gave us right password.

> - the default for plain cryptsetup should be as you suggested, precheck
>   is not default, but exists as a possible option.

yes could be done, as a check for the most used filesystems under linux.
But imho we should bring our users to the point where they give us a  
postcheck for plain cryptsetup. Because only with this it's possible  
to produce a reliable check for both ways (fals partition, false pw).

I'll edit the dev docu accordingly.

greets,
Michael

More information about the Pkg-cryptsetup-devel mailing list