Re: (almost) full disk encryption, cgdroot and firmware

[Brad Spencer <brad%anduin.eldar.org@localhost>]

Alexander Nasonov <alnsn%yandex.ru@localhost> writes:

> This is my story on (almost) full disk encryption.
>
> I followed Pierre Proncher's instruction from Mar 2013. To my
> surprise, it worked on the first boot. However, networking didn't
> work because the kernel couldn't load iwm firmware.
>
> After a couple of attempts to fix firmware loading, I gave up on
> cgdroot ramdisk and switched to a fake root on wd0a. It's similar
> to cgdroot but with modules and firmware files. I hard-linked few
> binaries including init from /rescue.
>
> My setup has not one but two cgd devices: cgd0 for a real root and
> cgd1 for other partitions. cgd0's key is stored on unencrypted
> wd0a, cgd1's key is stored on the real root cgd0a. I have to enter
> two passwords instead of one but this setup gives me some protection
> from an unsophisticated keylogger. Since wd0a is read-only, I can
> add wd0a integrity check before running the second cgdconfig -C
> command and abort before entering the second password if the check
> fails. A real rootkit can easily fool the integrity checker, though.
>
> Alex


I ran with a simular set up for quite a while including the use of a iwm
based wireless card.  I assume you used init.root and pointed it at the
cgd after the password was given.  If so, then I believe that the trick
to getting the firmware to load is that it must be placed in the
filesystem that the kernel actually was booted from and not the one that
is chrooted to from init.  It sound like in your case that would have
been the ramdrive, in my version of this it was an external flash disk.
I basically put a copy of /libdata on the boot media.  Without doing
this, the firmware wouldn't be found even if it was present on in the
cgd filesystem that init.root chroot'ed to.


-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS
http://anduin.eldar.org  - & -  http://anduin.ipv6.eldar.org [IPv6 only]