NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Of /var/db/entropy-file and booting kernels
On Wed, 6 May 2020 at 22:55, Eric S. Hvozda <hvozda%ack.org@localhost> wrote:
>
> I’m coloring way outside the lines, so it’s not readily apparent to me this is a bug, a structural behavior problem or something I am (or am not) doing.
>
> please bear with me.
>
> The goal is to build a software RAID system that protects all file systems on > 2Tbyte disks.
>
> I have done this in the past with RAIDframe RAID1, FFS v2 and disk label on MBR without issue.
>
> However, while embracing GPT, I seem to have come across an interesting behavior.
>
> It is know what installing boot blocks on the devices to supporting a raid set with GPT is useless (i.e. does not work due to lack of support)
>
> So, let’s take a page from the past:
>
> Create a smallish file system, that contains the boot blocks and the kernel, mark the root raid set as “soft” root and be happy.
>
> In general this means something like:
>
> newfs -O2 /dev/rdk0
> fsck -f /de/rdk0
> mount /dev/dk0 /mnt
> cd /usr/mdec
> cp -p boot /mnt
> cd /
> cp -p boot.cfg netbsd* /mnt
> Installboot -v /dev/rdk0 /usr/mdec/bootxx_ffsv2
> gpt biosboot -A -i 1 wd0
>
> As long as I am using the GENERIC kernel, this works.
>
> However, I am greedy; I would like to use kernel space address randomization (i.e. GENERIC_KASLR)
>
> If I deploy this kernel into dk0, and attempt to boot from it, boot will try all the basic kernel paths stating “no such file or directory” and then just loop forever doing this.
>
> A key press, does interrupt the loop, and if I use “ls” from boot, I can see all the kernels.
>
> I can even boot manually by choosing the GENERIC kernel by name.
>
> However, no matter what I try, I cannot get GENERIC_KASLR to boot with this configuration.
>
> If I manually try to boot it via:
>
> boot kaslr
You don't boot KASLR this way.
You put
menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr
in your boot.cfg and copy /usr/mdec/prekern to / .
(I copy the KASLR kernel to /netbsd_kaslr).
>
> I get:
>
> boot hd0a:kaslr: Invalid argument
>
> Then I saw PR #48702 filed in 2014.
>
> I never considered that it could be important for a kernel to have access to the entropy file at boot time.
>
> So I created the proper /var/db/entropy-file with rndctl( 8 ) on /dev/dk0; still no luck.
>
> So I come to a stand still with several questions:
>
> * if my boot device and root device are not the same, can I not use GENERIC_KASLR?
> * it looks fairly important to have / and /var on the same filesystem now, security-wise, how bad do things get without starting entropy?
> (i.e. the balance of security vs operationally preventing / from filling up)
> * what is the problem with the GENERIC_KASLR kernel and this configuration?
> * If it is lack of an entropy-file, why is it still unhappy after being supplied one?
> * Surely we can have a better error message than “Invalid argument” :D
>
> Discussion, comments…?
--
----
Home |
Main Index |
Thread Index |
Old Index