Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Full Disk Encryption with cgd (well, almost)
Hi -current users,
I have just managed to prototype a way to achieve (almost) full disk
encryption with cgd. I have tried to implement this while altering the
least amount of existing code and infrastructure that I could.
The approach I am taking is as follows:
- /dev/wd0a is a small bootable partition with:
* boot,
* boot.cfg,
* a GENERIC kernel,
* a ramdisk with a kernel module,
* cgd.conf and the relevant encryption key
(cgd0 /dev/wd0e)
- /dev/wd0e is the cgd partition
- the ramdisk (ramdisk-cgdroot.fs) was generated with the patch
attached, a lot like for sysinst but with cgdconfig instead
- the kernel module is generated from this ramdisk
- boot.cgd boots the GENERIC kernel with the ramdisk enabled
(menu=Boot:load /cgdroot.kmod;boot /netbsd.gz)
- a minimal /etc/rc within the ramdisk
* mounts wd0a on /etc/cgd,
* asks for the passphrase (with "cgdconfig -C"),
* mounts the encrypted volume read-only (on "/altroot"),
* and tells init (via "sysctl -w init.root=/altroot") to chroot
before going on
- the system starts normally.
A few additional remarks:
- init really needs SMALLPROG disabled to handle the "init.root" sysctl
(took me a while to figure out...)
- I had to move dmesg and ftp out of the common ramdisk code for amd64
because they did not build anymore with SMALLPROG disabled (WRT ftp it
is related to SSL support)
- likewise, cgdconfig needs -lcrypto so I had to duplicate the libhack
stuff
- I guess cgdroot.kmod is not built automatically with these changes,
I'll welcome suggestions there
- I am not sure about the "right" way to generate cgdroot.kmod; I'm
afraid, as it is, that it will try to build before miniroot.kmod is
available (still have to test this)
- I guess I want the one in OBJDIR instead; what's the proper variable?
I believe this approach to be generic enough to be worth being available
in the source tree. It would certainly make more sense if sysinst would
support creating such setups out of the box - but IMHO this is a first
step in this direction. Some of you have achieved similar setups already
in different ways - let me know if if a consensus can be reached here.
Less important:
- I guess "/altroot" was not exactly meant for this, but I read it as
"alternate root" here and I find it adequate (?)
- the key is stored on the hard drive in this scenario, but that's not
worse than the current official cgd howto
- I think it wouldn't work as-is with a XEN3_DOM0 kernel (which would
require the ramdisk built in the kernel AFAICS)
About the attachments:
- list.cgdroot goes into src/distrib/common
- mtree.cgdroot goes also into src/distrib/common
- cgdroot.rc goes again into src/distrib/common
- Makefile goes into src/distrib/amd64/ramdisks/ramdisk-cgdroot
- list goes into src/distrib/amd64/ramdisks/ramdisk-cgdroot as well
(and could be stripped down some more)
- patch-cgdroot.diff contains the modifications to the existing code
The mandatory console shot:
# mount
/dev/cgd0a on / type ffs (log, local)
HTH!
--
khorben
# $NetBSD$
#
# list file (c.f. parselist.awk) for cgd full-disk encryption.
#
PROG sbin/cgdconfig
COPY ${NETBSDSRCDIR}/distrib/common/cgdroot.rc etc/rc
# $NetBSD$
/set type=dir uname=root gname=wheel mode=0755
.
./altroot
./etc
./etc/cgd mode=0700
# $NetBSD$
#
# Copyright (c) 2013 Pierre Pronchery <khorben%netbsd.org@localhost>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
TERM=wsvt25
export TERM
HOME=/
export HOME
BLOCKSIZE=1k
export BLOCKSIZE
EDITOR=ed
export EDITOR
umask 022
mount -o ro /dev/wd0a /etc/cgd &&
cgdconfig -C &&
mount -o ro /dev/cgd0a /altroot &&
sysctl -w init.root=/altroot
umount /etc/cgd
# $NetBSD$
IMAGE= ramdisk-cgdroot.fs
IMAGESIZE= 5000k
IMAGEDEPENDS=
SMALLPROG= 0
USE_CGDROOT= yes
#XXX the test is "defined" instead of "= yes"
#USE_SYSINST= yes
SMALLPROG_INET6=1
.include "${.CURDIR}/../common/Makefile.ramdisk"
.if ${USE_CGDROOT} != "no"
LISTS+= ${DISTRIBDIR}/common/list.cgdroot
MTREECONF+= ${DISTRIBDIR}/common/mtree.cgdroot
.endif
.if ${USE_INET6} != "no"
LISTS+= ${DISTRIBDIR}/common/list.inet6
.endif
cgdroot.kmod: ${IMAGE}
${OBJCOPY} --add-section miniroot=${IMAGE} \
--set-section-flags miniroot=alloc,contents,load,data \
${DESTDIR}/stand/${MACHINE}/${MODULEVER}/modules/miniroot/miniroot.kmod
cgdroot.kmod
Index: amd64/ramdisks/Makefile
===================================================================
RCS file: /cvsroot/src/distrib/amd64/ramdisks/Makefile,v
retrieving revision 1.1
diff -p -u -r1.1 Makefile
--- amd64/ramdisks/Makefile 2 Jun 2006 22:11:52 -0000 1.1
+++ amd64/ramdisks/Makefile 21 Mar 2013 00:45:04 -0000
@@ -2,6 +2,7 @@
SUBDIR=
SUBDIR+= ramdisk
+SUBDIR+= ramdisk-cgdroot
TARGETS+= release
Index: amd64/ramdisks/common/list.ramdisk
===================================================================
RCS file: /cvsroot/src/distrib/amd64/ramdisks/common/list.ramdisk,v
retrieving revision 1.18
diff -p -u -r1.18 list.ramdisk
--- amd64/ramdisks/common/list.ramdisk 15 Aug 2012 16:48:41 -0000 1.18
+++ amd64/ramdisks/common/list.ramdisk 21 Mar 2013 00:45:04 -0000
@@ -20,7 +20,6 @@ PROG bin/stty
PROG sbin/chown bin/chgrp
PROG sbin/disklabel
-PROG sbin/dmesg
PROG sbin/fsck
PROG sbin/fsck_ffs
PROG sbin/gpt
@@ -43,7 +42,6 @@ PROG sbin/route
PROG sbin/swapctl
PROG sbin/umount
-PROG usr/bin/ftp
PROG usr/bin/gzip usr/bin/gzcat usr/bin/gunzip
PROG usr/bin/sed
@@ -65,9 +63,6 @@ SPECIAL route srcdir distrib/utils/x_ro
# init invokes the shell as -sh
ARGVLN sh -sh
-# libhack.o is built by Makefile & included Makefile.inc
-LIBS libhack.o -ledit -lutil -lcurses -lterminfo -lrmt -lcrypt -ll -lm -lz
-lprop
-
# various files that we need in /etc for the install
COPY ${NETBSDSRCDIR}/etc/group etc/group
COPY ${NETBSDSRCDIR}/etc/master.passwd etc/master.passwd
Index: amd64/ramdisks/ramdisk/list
===================================================================
RCS file: /cvsroot/src/distrib/amd64/ramdisks/ramdisk/list,v
retrieving revision 1.14
diff -p -u -r1.14 list
--- amd64/ramdisks/ramdisk/list 9 Jan 2012 17:45:03 -0000 1.14
+++ amd64/ramdisks/ramdisk/list 21 Mar 2013 00:45:04 -0000
@@ -1,5 +1,8 @@
# $NetBSD: list,v 1.14 2012/01/09 17:45:03 sborrill Exp $
+# libhack.o is built by Makefile & included Makefile.inc
+LIBS libhack.o -ledit -lutil -lcurses -lterminfo -lrmt -lcrypt -ll -lm -lz
-lprop
+
PROG bin/chio
PROG bin/dd
PROG bin/df
@@ -11,6 +14,7 @@ PROG bin/sync
PROG libexec/lfs_cleanerd
PROG sbin/dkctl
+PROG sbin/dmesg
PROG sbin/fdisk
PROG sbin/mbrlabel
PROG sbin/mount_ext2fs
@@ -24,6 +28,7 @@ PROG sbin/shutdown
PROG sbin/slattach
PROG sbin/sysctl
+PROG usr/bin/ftp
PROG usr/bin/less usr/bin/more
PROG usr/bin/tip
Home |
Main Index |
Thread Index |
Old Index