Re: Full Disk Encryption with cgd (well, almost)

To: current-users%netbsd.org@localhost
Subject: Re: Full Disk Encryption with cgd (well, almost)
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Thu, 21 Mar 2013 19:10:40 +0100

                        Hi Alan, list,

On 21/03/2013 08:36, Alan Barrett wrote:
> On Thu, 21 Mar 2013, Pierre Pronchery wrote:
>> I have just managed to prototype a way to achieve (almost) full disk
>> encryption with cgd. I have tried to implement this while altering the
>> least amount of existing code and infrastructure that I could.
> 
> All that sounds fine.  My own setup is similar, but I don't use cgd.conf
> (I store the necessary parameters in a separate partition), and I parse
> dmesg to figure out the boot device, so it works with booting from an
> internal disk (wd0) and an external USB disk (sd0).  We should probably
> add a sysctl for the booted device.

Can kern.root_device be useful for you there?
(on my setup it's simply "md0")

>> A few additional remarks:
>> - init really needs SMALLPROG disabled to handle the "init.root" sysctl
>>  (took me a while to figure out...)
> 
> I added SMALLPROG.init=no and the necessary changes to make that work,
> so there's no need to globally disable SMALLPROG.

This does not seem to work for me :(
Would you have more details?

>> - likewise, cgdconfig needs -lcrypto so I had to duplicate the libhack
>>  stuff
> 
> I did not need to do anything like that.  I have this in the list.extra
> file for the ramdisk:
> 
> PROG    sbin/cgdconfig
> LIBS    -lcrypto

This works fine, thank you.

>> - I guess cgdroot.kmod is not built automatically with these changes,
>>  I'll welcome suggestions there
>> - I am not sure about the "right" way to generate cgdroot.kmod; I'm
>>  afraid, as it is, that it will try to build before miniroot.kmod is
>>  available (still have to test this)
>> - I guess I want the one in OBJDIR instead; what's the proper variable?
> 
> This part should be easy.

I think I figured it out - I have created an extra
distrib/amd64/cgdroot/kmod directory, containing this Makefile:

=== BEGIN PASTE ===
#       $NetBSD$

MINIROOT=       cgdroot
RAMDISK=        ramdisk-cgdroot

.include "../../common/Makefile.minirootkmod"
=== END PASTE ===

With this I'm also pretty sure it'll build in the right order (but I'll
test a full build anyway).

>> Less important:
>> - I guess "/altroot" was not exactly meant for this, but I read it as
>>  "alternate root" here and I find it adequate (?)
>> - the key is stored on the hard drive in this scenario, but that's not
>>  worse than the current official cgd howto
>> - I think it wouldn't work as-is with a XEN3_DOM0 kernel (which would
>>  require the ramdisk built in the kernel AFAICS)
> 
> All that seems fine.  The final step of building the ramdisk into the
> kernel instead of creating a miniroot.kmod will have to change for some
> platforms.

Certainly, but in the meantime this should work for i386 already. I'm
looking forward to testing this on evbarm with the Nokia N900 if at all
possible - that would be a very interesting feature there IMHO.

The next thing I'll welcome if my tests go well is a green flag to commit :)

Thank you for the helpful feedback already!
-- 
khorben

Follow-Ups:
- Re: Full Disk Encryption with cgd (well, almost)
  - From: Rhialto

References:
- Full Disk Encryption with cgd (well, almost)
  - From: Pierre Pronchery
- Re: Full Disk Encryption with cgd (well, almost)
  - From: Alan Barrett

Prev by Date: Re: dhc* in NetBSD 7.0
Next by Date: Automated report: NetBSD-current/i386 build failure
Previous by Thread: Re: Full Disk Encryption with cgd (well, almost)
Next by Thread: Re: Full Disk Encryption with cgd (well, almost)
Indexes:

Home | Main Index | Thread Index | Old Index