Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Full Disk Encryption with cgd (well, almost)



                        Hi -current users,

I have just managed to prototype a way to achieve (almost) full disk
encryption with cgd. I have tried to implement this while altering the
least amount of existing code and infrastructure that I could.

The approach I am taking is as follows:
- /dev/wd0a is a small bootable partition with:
  * boot,
  * boot.cfg,
  * a GENERIC kernel,
  * a ramdisk with a kernel module,
  * cgd.conf and the relevant encryption key
    (cgd0 /dev/wd0e)
- /dev/wd0e is the cgd partition
- the ramdisk (ramdisk-cgdroot.fs) was generated with the patch
  attached, a lot like for sysinst but with cgdconfig instead
- the kernel module is generated from this ramdisk
- boot.cgd boots the GENERIC kernel with the ramdisk enabled
  (menu=Boot:load /cgdroot.kmod;boot /netbsd.gz)
- a minimal /etc/rc within the ramdisk
  * mounts wd0a on /etc/cgd,
  * asks for the passphrase (with "cgdconfig -C"),
  * mounts the encrypted volume read-only (on "/altroot"),
  * and tells init (via "sysctl -w init.root=/altroot") to chroot
    before going on
- the system starts normally.

A few additional remarks:
- init really needs SMALLPROG disabled to handle the "init.root" sysctl
  (took me a while to figure out...)
- I had to move dmesg and ftp out of the common ramdisk code for amd64
  because they did not build anymore with SMALLPROG disabled (WRT ftp it
  is related to SSL support)
- likewise, cgdconfig needs -lcrypto so I had to duplicate the libhack
  stuff
- I guess cgdroot.kmod is not built automatically with these changes,
  I'll welcome suggestions there
- I am not sure about the "right" way to generate cgdroot.kmod; I'm
  afraid, as it is, that it will try to build before miniroot.kmod is
  available (still have to test this)
- I guess I want the one in OBJDIR instead; what's the proper variable?

I believe this approach to be generic enough to be worth being available
in the source tree. It would certainly make more sense if sysinst would
support creating such setups out of the box - but IMHO this is a first
step in this direction. Some of you have achieved similar setups already
in different ways - let me know if if a consensus can be reached here.

Less important:
- I guess "/altroot" was not exactly meant for this, but I read it as
  "alternate root" here and I find it adequate (?)
- the key is stored on the hard drive in this scenario, but that's not
  worse than the current official cgd howto
- I think it wouldn't work as-is with a XEN3_DOM0 kernel (which would
  require the ramdisk built in the kernel AFAICS)

About the attachments:
- list.cgdroot goes into src/distrib/common
- mtree.cgdroot goes also into src/distrib/common
- cgdroot.rc goes again into src/distrib/common
- Makefile goes into src/distrib/amd64/ramdisks/ramdisk-cgdroot
- list goes  into src/distrib/amd64/ramdisks/ramdisk-cgdroot as well
  (and could be stripped down some more)
- patch-cgdroot.diff contains the modifications to the existing code

The mandatory console shot:
# mount
/dev/cgd0a on / type ffs (log, local)

HTH!
-- 
khorben
#       $NetBSD$
#
# list file (c.f. parselist.awk) for cgd full-disk encryption.
#

PROG    sbin/cgdconfig

COPY    ${NETBSDSRCDIR}/distrib/common/cgdroot.rc etc/rc
#       $NetBSD$

/set                            type=dir uname=root gname=wheel mode=0755

.
./altroot
./etc
./etc/cgd                       mode=0700
#       $NetBSD$
#
# Copyright (c) 2013 Pierre Pronchery <khorben%netbsd.org@localhost>
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
TERM=wsvt25
export TERM
HOME=/
export HOME
BLOCKSIZE=1k
export BLOCKSIZE
EDITOR=ed
export EDITOR

umask 022

mount -o ro /dev/wd0a /etc/cgd &&
cgdconfig -C &&
mount -o ro /dev/cgd0a /altroot &&
sysctl -w init.root=/altroot
umount /etc/cgd
#       $NetBSD$

IMAGE=          ramdisk-cgdroot.fs
IMAGESIZE=      5000k
IMAGEDEPENDS=   
SMALLPROG=      0
USE_CGDROOT=    yes
#XXX the test is "defined" instead of "= yes"
#USE_SYSINST=   yes
SMALLPROG_INET6=1

.include "${.CURDIR}/../common/Makefile.ramdisk"

.if ${USE_CGDROOT} != "no"
LISTS+=         ${DISTRIBDIR}/common/list.cgdroot
MTREECONF+=     ${DISTRIBDIR}/common/mtree.cgdroot
.endif

.if ${USE_INET6} != "no"
LISTS+=         ${DISTRIBDIR}/common/list.inet6
.endif

cgdroot.kmod: ${IMAGE}
        ${OBJCOPY} --add-section miniroot=${IMAGE} \
                --set-section-flags miniroot=alloc,contents,load,data \
                
${DESTDIR}/stand/${MACHINE}/${MODULEVER}/modules/miniroot/miniroot.kmod 
cgdroot.kmod
Index: amd64/ramdisks/Makefile
===================================================================
RCS file: /cvsroot/src/distrib/amd64/ramdisks/Makefile,v
retrieving revision 1.1
diff -p -u -r1.1 Makefile
--- amd64/ramdisks/Makefile     2 Jun 2006 22:11:52 -0000       1.1
+++ amd64/ramdisks/Makefile     21 Mar 2013 00:45:04 -0000
@@ -2,6 +2,7 @@
 
 SUBDIR=
 SUBDIR+=       ramdisk
+SUBDIR+=       ramdisk-cgdroot
 
 TARGETS+=      release
 
Index: amd64/ramdisks/common/list.ramdisk
===================================================================
RCS file: /cvsroot/src/distrib/amd64/ramdisks/common/list.ramdisk,v
retrieving revision 1.18
diff -p -u -r1.18 list.ramdisk
--- amd64/ramdisks/common/list.ramdisk  15 Aug 2012 16:48:41 -0000      1.18
+++ amd64/ramdisks/common/list.ramdisk  21 Mar 2013 00:45:04 -0000
@@ -20,7 +20,6 @@ PROG  bin/stty
 
 PROG   sbin/chown      bin/chgrp
 PROG   sbin/disklabel
-PROG   sbin/dmesg
 PROG   sbin/fsck
 PROG   sbin/fsck_ffs
 PROG   sbin/gpt
@@ -43,7 +42,6 @@ PROG  sbin/route
 PROG   sbin/swapctl
 PROG   sbin/umount
 
-PROG   usr/bin/ftp
 PROG   usr/bin/gzip    usr/bin/gzcat usr/bin/gunzip
 PROG   usr/bin/sed
 
@@ -65,9 +63,6 @@ SPECIAL       route           srcdir  distrib/utils/x_ro
 # init invokes the shell as -sh
 ARGVLN sh -sh
 
-# libhack.o is built by Makefile & included Makefile.inc
-LIBS   libhack.o -ledit -lutil -lcurses -lterminfo -lrmt -lcrypt -ll -lm -lz 
-lprop
-
 # various files that we need in /etc for the install
 COPY   ${NETBSDSRCDIR}/etc/group               etc/group
 COPY   ${NETBSDSRCDIR}/etc/master.passwd       etc/master.passwd
Index: amd64/ramdisks/ramdisk/list
===================================================================
RCS file: /cvsroot/src/distrib/amd64/ramdisks/ramdisk/list,v
retrieving revision 1.14
diff -p -u -r1.14 list
--- amd64/ramdisks/ramdisk/list 9 Jan 2012 17:45:03 -0000       1.14
+++ amd64/ramdisks/ramdisk/list 21 Mar 2013 00:45:04 -0000
@@ -1,5 +1,8 @@
 #      $NetBSD: list,v 1.14 2012/01/09 17:45:03 sborrill Exp $
 
+# libhack.o is built by Makefile & included Makefile.inc
+LIBS   libhack.o -ledit -lutil -lcurses -lterminfo -lrmt -lcrypt -ll -lm -lz 
-lprop
+
 PROG   bin/chio
 PROG   bin/dd
 PROG   bin/df
@@ -11,6 +14,7 @@ PROG  bin/sync
 PROG   libexec/lfs_cleanerd
 
 PROG   sbin/dkctl
+PROG   sbin/dmesg
 PROG   sbin/fdisk
 PROG   sbin/mbrlabel
 PROG   sbin/mount_ext2fs
@@ -24,6 +28,7 @@ PROG  sbin/shutdown
 PROG   sbin/slattach
 PROG   sbin/sysctl
 
+PROG   usr/bin/ftp
 PROG   usr/bin/less    usr/bin/more
 PROG   usr/bin/tip
 


Home | Main Index | Thread Index | Old Index