Re: [patch] sparc64 ofwboot.net manual config

2014-03-05 Thread Jean-Philippe Ouellet
Based on the number of commits today, I'm going to go ahead and guess the tree was unlocked from release mode. Does anybody want to take a look at this now? I think it may be a good idea to refactor the URL parsing code to be easier to read, follow, and reason about. There are many ways I could d

[diff] calendar.birthday

2014-03-05 Thread patrick keshishian
Index: calendar.birthday === RCS file: /cvs/obsd/src/usr.bin/calendar/calendars/calendar.birthday,v retrieving revision 1.57 diff -u -p -u -p -r1.57 calendar.birthday --- calendar.birthday 11 Feb 2014 12:20:34 - 1.57 +++ cal

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 23:17, Theo de Raadt escreveu: >> But I believe, not have looked much at the code yet, that the kexec() >> approach would be simpler than implementing the pivot_root(). > Well, certainly less issues to deal with in C code. Instead you'll be > running up against debugging things relat

Re: Boot network for remote unlock of fde

2014-03-05 Thread Theo de Raadt
> But I believe, not have looked much at the code yet, that the kexec() > approach would be simpler than implementing the pivot_root(). Well, certainly less issues to deal with in C code. Instead you'll be running up against debugging things relating to that file called locore.S ...

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 23:01, Ted Unangst escreveu: > If we're going to discuss things that would be useful, I have for > quite some time wanted a kexec() syscall that loads a new kernel and > reboots into it. I think that would be helpful for a variety of tasks, > not least of which is avoiding the four mi

Re: Boot network for remote unlock of fde

2014-03-05 Thread Ted Unangst
On Wed, Mar 05, 2014 at 22:28, Giancarlo Razzolini wrote: > Rather than that, what about contribute with ideas for this. I believe > that it's not only FDE unlocking that would benefit of early network. As > I mentioned before, the possibility of redirecting the console to the > ssh session is one

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 19:03, Chris Cappuccio escreveu: > > Personally I think this sort-of soft-IPMI is a pretty cool idea and I found > Matthieu's reply enlightening as well. > > Apparently Linux has made some progress beyond pivot_root and there are > some interesting ideas there. (Note that we have a fu

Re: Boot network for remote unlock of fde

2014-03-05 Thread Kevin Chadwick
previously on this list Kevin Chadwick contributed: > Though I can understand the FDE approach for Linux due to it's rather > and pointlessly (IMO) complex boot. Obviously not all using the linux kernel like buildroot for embedded which can be literally six lines of shell but probably every deskt

Re: Boot network for remote unlock of fde

2014-03-05 Thread Kevin Chadwick
previously on this list Giancarlo Razzolini contributed: > I prefer to have /etc and everything else > encrypted. If not, I would have to move lots of configuration files to > the encrypted partition, not to mention that it would very error prone. You can always use symlinks or mount encrypted pa

Re: Boot network for remote unlock of fde

2014-03-05 Thread Stuart Henderson
On 2014/03/06 09:15, Damien Miller wrote: > On Wed, 5 Mar 2014, Stuart Henderson wrote: > > > What are you trying to protect against? > > > > If somebody has physical access, they can presumably replace the > > kernel/initramfs with a trojanned version ... > > It protects against stolen machines,

Re: Boot network for remote unlock of fde

2014-03-05 Thread Damien Miller
On Wed, 5 Mar 2014, Stuart Henderson wrote: > What are you trying to protect against? > > If somebody has physical access, they can presumably replace the > kernel/initramfs with a trojanned version ... It protects against stolen machines, but not active attacks. Our cryptoraid doesn't protect a

Re: Boot network for remote unlock of fde

2014-03-05 Thread Chris Cappuccio
Giancarlo Razzolini [grazzol...@gmail.com] wrote: > > One byproduct of such design would be the possibility of redirecting the > console to the ssh connection. I know this is deranging from the initial > idea, but make perfect sense. Anyway, I noted your concerns on this. > Now, anyone have any de

Re: Boot network for remote unlock of fde

2014-03-05 Thread Paul de Weerd
On Wed, Mar 05, 2014 at 06:36:55PM -0300, Giancarlo Razzolini wrote: | One byproduct of such design would be the possibility of redirecting the | console to the ssh connection. I know this is deranging from the initial | idea, but make perfect sense. Anyway, I noted your concerns on this. | Now, an

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 18:22, Ted Unangst escreveu: > On Wed, Mar 05, 2014 at 17:48, Giancarlo Razzolini wrote: >> Thank you for your reply. I am tending for the generic solution for >> unlocking it via network. Not using console nor any hardware assist. On >> linux, using initramfs + busybox + dropbear

Re: Boot network for remote unlock of fde

2014-03-05 Thread Ted Unangst
On Wed, Mar 05, 2014 at 17:48, Giancarlo Razzolini wrote: > Thank you for your reply. I am tending for the generic solution for > unlocking it via network. Not using console nor any hardware assist. On > linux, using initramfs + busybox + dropbear + some other hacks, it works > quite well and s

Re: Boot network for remote unlock of fde

2014-03-05 Thread Matthieu Herrb
On Wed, Mar 05, 2014 at 06:11:35PM -0300, Giancarlo Razzolini wrote: > > > I'm not trying to protect anything. Physical access almost always > means game over. There could be some work on the area of trusted > booting, using TPM chips, but this is another beast entirely. > > I'm trying to

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 18:09, Jean-Philippe Ouellet escreveu: > I'm aware of some issues in this area. > > You probably need to modify boot to default to serial console. The > normal approach, taken by the installer, is to use boot.conf, but of > course that's not readable before the disk is decrypted. This

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 18:05, Stuart Henderson escreveu: > On 2014/03/05 17:48, Giancarlo Razzolini wrote: >> Em 05-03-2014 17:30, Ted Unangst escreveu: >>> On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote: Hi, I have one linux server that has full disk encryption, and I use

Re: Boot network for remote unlock of fde

2014-03-05 Thread Jean-Philippe Ouellet
On 3/5/14 3:30 PM, Ted Unangst wrote: > On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote: >> Hi, >> >> I have one linux server that has full disk encryption, and I use >> it's initramfs with dropbear to be able to remote unlock the encrypted >> root partition. >> >> From what I read

Re: Boot network for remote unlock of fde

2014-03-05 Thread Stuart Henderson
On 2014/03/05 17:48, Giancarlo Razzolini wrote: > Em 05-03-2014 17:30, Ted Unangst escreveu: > > On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote: > >> Hi, > >> > >> I have one linux server that has full disk encryption, and I use > >> it's initramfs with dropbear to be able to remote u

Re: Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Em 05-03-2014 17:30, Ted Unangst escreveu: > On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote: >> Hi, >> >> I have one linux server that has full disk encryption, and I use >> it's initramfs with dropbear to be able to remote unlock the encrypted >> root partition. >> >> From what I

Re: Boot network for remote unlock of fde

2014-03-05 Thread Ted Unangst
On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote: > Hi, > > I have one linux server that has full disk encryption, and I use > it's initramfs with dropbear to be able to remote unlock the encrypted > root partition. > > From what I read from the OpenBSD documentation, this is not

Boot network for remote unlock of fde

2014-03-05 Thread Giancarlo Razzolini
Hi, I have one linux server that has full disk encryption, and I use it's initramfs with dropbear to be able to remote unlock the encrypted root partition. From what I read from the OpenBSD documentation, this is not possible now. I want some guidance for what areas of code I would need t

Re: potential NULL pointer dereference in ifconfig.c

2014-03-05 Thread Matthew Weigel
On 2014-03-05 8:40, Remco wrote: I think there is a potential NULL pointer dereference in ifconfig.c. (I'm not aware of this causing actual problems, I just spotted it by accident) Index: ifconfig.c === RCS file: /cvs/src/sbin/ifc

potential NULL pointer dereference in ifconfig.c

2014-03-05 Thread Remco
I think there is a potential NULL pointer dereference in ifconfig.c. (I'm not aware of this causing actual problems, I just spotted it by accident) Index: ifconfig.c === RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v retrieving revisio