NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Encrypted root partition - boot failed (solved)



Hi All,
     Finally I was sucessful to boot NetBSD by using an encrypted 
root partition and an unconventional (for NetBSD) partition scheme.

I have followed the instructions given in 
https://wiki.netbsd.org/security/cgdroot/ but I have recompiled
the module cgdroot.kmod.

To do that, I have done a standard installation of NetBSD 9.0 in
a virtual machine, then I have added the source code under "/usr/src"
and recompiled the whole system (kernel and world).

Finally I have followed the steps for recompilation of the module
"cgdroot.kmod". One has to be careful to that point 
("The kernel module can be compiled in two steps") mentioned
in the documentation. The two steps are:
          1) Creating a ramdisk by executing "/usr/tools/bin/nbmake-amd64"
             after changing to the directory of cgd ramdisk:
             cd /usr/src/distrib/amd64/ramdisks/ramdisk-cgdroot/
          2) Building the module "cgdroot.kmod" with "/usr/tools/bin/nbmake-amd64"
             after changing to the directory "/usr/src/distrib/amd64/kmod-cgdroot".

Before doing these steps, one has to modify the file "cgdroot.rc"
(in the directory "/usr/src/distrib/common") to adapt it to
its specific partition scheme.

For instance the modifications I have done are:

localhost$ diff cgdroot.rc*
40c40
< for dev in NAME=cgd.conf /dev/dk2 /dev/wd0a /dev/ld0a ; do
---
> for dev in NAME=cgd.conf /dev/wd0a /dev/ld0a ; do
57c57
< mount -o ro /dev/dk4 /altroot
---
> mount -o ro /dev/cgd0a /altroot

Best regards

On Wed, 12 Aug 2020 19:05:00 +0200
Pierre Dupond <76nemo76%gmx.ch@localhost> wrote:

> Hi All,
>        The attachments of the previous mail were binary junk and
> not text. I don't know why. Hopefully, these one are more correct.
> 
> Sorry for the inconvenience.
> 
> Best regards
> 
> Le 12.08.20 à 18:50, Pierre Dupond a écrit :
> > Hi All,
> >        I want to use NetBSD with the root partition encrypted. I have
> > followed these instructions: https://wiki.netbsd.org/security/cgdroot/.
> >
> > After installing the NetBSD 9.0 (not Current but with the CD image),
> > I am able to start the boot process but not to mount the boot partition
> > (the error message is provided in the image taken from the VirtualBox
> > screen found in attachment).
> >
> > I was not too surprised since I have created a guid partition booting
> > from standard BIOS. The boot partition is then /dev/dk2, the crypted
> > partition (with cgd) /dev/dk3 and the root partition of NetBSD /dev/dk4
> > (once the partition /dev/dk3 is decrypted).
> >
> > This scheme seems to be different from what is indicated in the
> > documentation where it is mentioned the partition wd0a (and wd0f).
> >
> > In attachment, you will find alisting of the different partition schemes
> > and the "ls" command done on the boot partition (/dev/dk2).
> >
> > Should I recompile the kernel module "cgdroot.kmod" to adapt the
> > different devices used in the procedure?  Should I do someting else?
> >
> > I have no more ideas and some pointers to the correct solution
> > would be greatly appreciated.
> >
> > Thanks for your help.
> >
> > Best regards


-- 
Pierre Dupond <76nemo76%gmx.ch@localhost>


Home | Main Index | Thread Index | Old Index