Re: Full Disk Encryption with cgd (well, almost)

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Fri, Mar 22, 2013 at 12:11:35AM +0100, Rhialto wrote:
> On Thu 21 Mar 2013 at 03:01:55 +0100, Pierre Pronchery wrote:
> > The approach I am taking is as follows:
> > - /dev/wd0a is a small bootable partition with:
> >   * boot,
> >   * boot.cfg,
> >   * a GENERIC kernel,
> >   * a ramdisk with a kernel module,
> >   * cgd.conf and the relevant encryption key
> >     (cgd0 /dev/wd0e)
> > - /dev/wd0e is the cgd partition
> > - the ramdisk (ramdisk-cgdroot.fs) was generated with the patch
> >   attached, a lot like for sysinst but with cgdconfig instead
> > - the kernel module is generated from this ramdisk
> > - boot.cgd boots the GENERIC kernel with the ramdisk enabled
> >   (menu=Boot:load /cgdroot.kmod;boot /netbsd.gz)
> > - a minimal /etc/rc within the ramdisk
> >   * mounts wd0a on /etc/cgd,
> >   * asks for the passphrase (with "cgdconfig -C"),
> >   * mounts the encrypted volume read-only (on "/altroot"),
> >   * and tells init (via "sysctl -w init.root=/altroot") to chroot
> >     before going on
> 
> Is there any particular reason why cgdconfig and /etc/rc are in a
> ramdisk, rather than in the unencrypted /dev/wd0a? A ramdisk makes it so
> much more complicated to update stuff, but it offers no security anyway
> since it is unencrypted itself.

It would certainly make it easier to achieve a trusted boot using the
TPM -- you can stop worrying what the TPM says as soon as the signature
on the kernel and ramdisk check out.