tech-kern: Re: cgd root [was Re: enabling cgd by default]

Subject: Re: cgd root [was Re: enabling cgd by default]
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Daniel Carosone <dan@geek.com.au>
List: tech-kern
Date: 08/08/2007 18:08:39
--MFsiPQgyXjZUSlqD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 08, 2007 at 02:53:12AM -0400, der Mouse wrote:
> The first is, I'd like a way to have it prompt for the key on the
> console, directly from the kernel.  This would amount to
> pkcs5_pbkdf2/sha1, except with only the salt, or perhaps even nothing
> (see below) provided by cgdconfig; the kernel would prompt for the
> user-input portion.
>=20
> The other is, I'd like a way to put root on cgd. =20

I assume the former is mostly as a prerequisite for the latter?  Did
you have any other particular reasons to want it for its own sake?

As for root on cgd, are you aware of the init.root sysctl?  This is
intended to achieve essentially the same thing.  It's a feature of
init, whereby you can run a few simple processes (like cgdconfig and
mount) and then exit, and init will chroot to a specified directory
and run rc as normal.  The effective result is that every user process
ends up chrooted (ie, in your cgd).

If you combine this with a kernel that has the "real" root on an
md(4), with the image embedded in the kernel, you have something
essentially indistinguishable in practice from what you're after.

The threat and trust model for the bootblocks and kernel is the same,
just with a slightly larger kernel.  Put these on on a usb flash stick
that you carry on your keyring separately, and you've reduced your
exposure further. (You still want to use an md root, rather than root
on usb, so you can detach the widget post-boot.  I also leave a
bootblock on the hard disk that boots to a useful message, so nobody
thinks the disk is empty.)

This is real, here now, and works very well. =20

One improvement (which would have other significant uses as well)
would be to enable root on tmpfs rather than md, with an analogous way
of populating the initial contents.  This would allow much easier
growth as an install or livecd-style system unpacks itself, as well as
allow reclaiming the space used by those initial tools once their work
is done.

--
Dan.
--MFsiPQgyXjZUSlqD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iD8DBQFGuXoHEAVxvV4N66cRArzYAJwPUXBtOB7uRmnrhJ22K/lGqclflgCg/DcI
/cLwp2RXgao/YOPwxTSNCd0=
=wxXg
-----END PGP SIGNATURE-----

--MFsiPQgyXjZUSlqD--