Lennart Poettering
Lennart Poettering
> It's not just the 8K, it's all the work to get there and kick the userspace helper process and all that. All of it adds up to a measurable...
So if a coredump event that userspace immediately refuses (i.e. closes the pipe on) causes the kernel to still do all the work anyway, then this is pretty clearly a...
> You keep saying "fix the kernel", but how would that even work? The only way the kernel has to decide it doesn't need to do _any_ work is RLIMIT_CORE,...
looks good. but misses one fundamental part: hookup wit cryptsetup to actually look for this metadata. i.e. the `try-empty-password=` setting should probably get a third accepted value besides yes and...
> On LUKS2, cryptsetup itself will use the empty password using the plugin. This is because `systemd-cryptsetup` calls `crypt_activate_by_token_pin` and tells cryptsetup to try all tokens. I don't think cryptsetup...
So this looks great actually. Just some minor fixups and this can land.
> If that is the concern, shouldn't that be impossible? My understanding is that cryptsetup will try all available tokens. Ones that require a pin will return ENOANO. However, `systemd-empty`...
> TODO: We need to discuss the effect this may have re: security. i.e. If we can auto-unlock the root partion on a malicious boot disk, that may be a...
CI unhappy
> I don't think I have a PR that is relevant to the security concern. Should I open an issue about it? hhm, wait, maybe i misunderstood something there. yeah,...